Information security researchers have identified a new spyware for Android that uses the same shared hosting infrastructure as the Russian APT (advanced persistent threat) hacking group Turla, although the attribution is unconvincing based on flimsy evidence.
The state-backed group is known to use custom malware, primarily to spy on US and European systems. The authors were recently linked to the Sunburst backdoor, used in the SolarWinds supply chain attack in December 2020.
Numerous permissions and minimal effort to hide
The ID of the APK [VirusTotal] malicious program called ‘Process Manager’ was carried out by the Lab52 researchers. Malware acts as spyware for Android devices, transporting information to threat actors.
Although the Process Manager distribution is still unknown, once installed, the threat hides itself using a gear icon, pretending to be a system component. When run, the app prompts the device user to use 18 permissions:
- Approximate location access
- Access to exact location
- Network state access
- Wi-Fi status access
- Foreground service
- Modify audio configuration
- Read call log
- read contacts
- Read SD card and other data storage points
- Save logs from storage or SD card
- Read from phone status
- read SMS
- Receive full reset
- record audio
- send SMS
- wake lock
If granted, permissions pose a serious privacy risk, as the app gains access to the device’s location, reads and sends SMS, accesses files from the storage, as well as taking pictures with the device’s camera and recording audio.
The malware also abuses Android’s Accessibility service, but it’s unclear whether to grant itself permissions or as some ploy to get the user to approve a request.
After the user grants the permissions, the gear icon is removed by the spyware, and a notification indicates that it is running in the background. Strange spyware behavior, as there is usually an effort to hide its presence.
The collected information — lists, logs, SMS, recordings and event notifications — is sent to the server in JSON format to the C2 located at 82.146.35[.]240, IP located in Russia.
The research team also identified that the malware downloads additional payloads to the device, in addition to fetching a popular app (10 million downloads) directly from the Play Store called “Roz Dhan: Earn Wallet cash”.
The spyware is likely to download the APK through the app’s referral system, earning a commission for the referral. This characteristic added to the unsophisticated implementation leads to the belief that the command and control server analyzed by Lab52 may be part of a shared infrastructure.
This tactic is used by nation-state actors, albeit rarely, as it helps to cover up and confuse analysts. However, other features of the threat and the use of referral-based monetization make researchers discredit that the work is by a group like Turla. “Therefore, in this report, we want to share our analysis on the capabilities of this piece of malware, although attribution to Turla does not seem possible given its threat capability,” the Lab52 researchers explain.
how to protect yourself
As with any app, both iOS and Android device users, it is advisable to review the permissions given to apps and revoke unnecessary ones.
As of Android version 12, the operating system signals when the camera or microphone is active. If they were not activated on purpose, chances are the device is infected with spyware.
On older devices, the tools are more easily hidden, without the owner noticing the threat.