Previously unknown Android malware has been linked to hacking group Turla after discovering the infrastructure used by the app previously attributed to threat actors.
Turla is a Russian state-backed hacking group known for using custom malware to target European and American systems, primarily for spying purposes.
Threat actors have recently been linked to the Sunburst backdoor used in the SolarWinds supply chain attack in December 2020.
Android Spyware Tower?
Lab52 researchers have identified a malicious APK [VirusTotal] named “Process Manager” which acts as Android spyware, uploading information to threat actors.
Although it is unclear how the spyware is distributed, once installed Process Manager attempts to hide on an Android device using a gear-shaped icon, pretending to be a system component.
When first launched, the app prompts the user to allow it to use the following 18 permissions:
- Access coarse location
- Access to a beautiful location
- Access network status
- Access WiFi status
- Top service
- the Internet
- Change audio settings
- Read call log
- Read Contacts
- Read external storage
- Write external storage
- Read phone status
- Read SMS
- Startup reception completed
- Audio recording
- Send a text message
- wake up log
These permissions are a serious privacy risk as they allow the app to get a device’s location, send and read texts, access storage, take pictures with the device photo and record audio.
It’s unclear whether the malware abuses the Android Accessibility Service to grant itself permissions or tricks the user into approving a request.
After receiving permissions, the spyware removes its icon and runs in the background with only a permanent notification indicating its presence.
This aspect is quite strange for spyware which should generally strive to remain hidden from the victim, especially if it is the work of a sophisticated APT (Advanced Persistent Threat) group.
Information collected by the device, including lists, logs, SMS, recordings, and event notifications, is sent in JSON format to the command and control server at 82.146.35[.]240.
The distribution method of the APK is unknown, but if it is Turla, they commonly use social engineering, phishing, waterhole attacks, etc., so it could be anything what.
Strange case of abuse for profit
While researching the app, the Lab52 team also discovered that it was downloading additional payloads to the device and found a case of the app retrieved directly from the Play Store.
The app is called “Roz Dhan: Earn Money with Wallet”, and it is a popular app (10,000,000 downloads) with a money making referral system.
The spyware would upload the APK through the app’s referral system, potentially earning a commission, which is somewhat odd considering the actor in question is focused on cyber espionage.
This, in addition to the apparently unsophisticated implementation of Android spyware, leads us to believe that the C2 analyzed by Lab52 could be part of a shared infrastructure.
State actors have been known to follow this tactic, albeit rarely, as it helps them cover their tracks and confuse analysts.
Keep malware away
Android device users are advised to review the app permissions they have granted, which should be fairly easy on Android versions 10 and later, and revoke those that seem too risky.
Also, starting with Android 12, the operating system pushes indications when the camera or microphone is active, so if these appear orphaned, spyware is lurking in your device.
These tools are particularly dangerous when embedded in IoTs that run older versions of Android, generating money for their remote operators for long periods of time without anyone noticing the trade-off.