The spyware is disguised as "Process Manager" application
Share on facebook
Share on twitter
Share on pinterest
Share on linkedin
Share on whatsapp

If you buy something from a this link, myelectricsparks Media may earn a commission. See our Read More.

(Image credit: GETTY IMAGES )

A risk for Android users. Russian previously unnoticed Android malware is based on the same shared hosting infrastructure previously used in Turla, the Russian APT group known as Turla; however, it is impossible.

Turla is a Russian state-sponsored hacking organization known for using customized malware to attack European and American systems, with the primary goal of spying.

The actors who are threatening us have been associated with the Sunburst backdoor used in the SolarWinds supply chain attack in December 2020. Spyware has been found that can track the location of a user’s location and record audio.

New Android spyware

Researchers from Lab52 discovered a malware-ridden APK Researchers from Lab52 discovered a malicious APK¬†VirusTotal¬†The APK is named “Process Manager” that acts as Android spyware, transferring data to threat actors.

Although it’s unclear what the distribution method is, Once installed, Process Manager attempts to cover up it on the Android device by using the shape of gear and pretends to be a component of the system.

When it first launches when it is launched, the app asks the user to permit it to make use of the following permissions:

  • Access coarse location
  • Access fine location
  • Access network state
  • Access WiFi state
  • Camera
  • Foreground service
  • Internet
  • Modify audio settings
  • Read call log
  • Read contacts
  • Read external storage
  • Write external storage
  • Read phone state
  • Read SMS
  • Receive boot completed
  • Record audio
  • Send SMS
  • Wake log

These permissions pose a significant privacy risk since it allows the application to determine a device’s location to send and read text messages or messages, access storage, capture images with the camera, and even record audio.

It’s unclear whether the malware is utilizing its Android Accessibility service to grant itself access to the service or if it’s fooling users into accepting the request.

After receiving the spyware’s permissions, it removes its icon and then runs in the background. It displays an ongoing notification to indicate its presence.

The constant notification serves as a service for the system (Image credit: lab52)

This is odd for spyware that is supposed to attempt to stay secret from the person who is affected, particularly if this comes from an advanced APT (advanced pervasive danger) group.

The data gathered through the devices, including lists of logs, SMS recordings, and event notifications, are transmitted in JSON form to the Command and Control server located at 82.146.35(82.146.35). 240, which is in Russia.

Establishing C2 connection to send the stolen data (Image credit: lab52)

The method used to distribute the APK is not known. However, If it’s Turla, they are likely to use social engineering and phishing attacks and so on. It could be anything.

A bizarre case of abuse to gain profits

When researching the app, Lab52 discovered that the Lab52 group also discovered that it also downloaded additional payloads onto the device. The team also discovered a case of an app downloaded straight from Play Store.

The app’s title is “Roz Dhan: Make Wallet cash” It’s also a well-known (10,000,000 downloads) application with a cash-generating referral system.

Abused application on the Play Store

The spyware is said to download the APK via the app’s refer system, which is likely to earn a commission, which is odd considering that the specific actor specializes in cyber espionage.

This, together with the implausibly simple implementation of this Android spyware, makes us think that the C2 Lab52 has analyzed Lab52 could be part of a shared infrastructure.

State actors are well-known for this tactic, although it is not often since it allows them to conceal their tracks and make it difficult for analysts to understand.

However, because of the lack of sophistication of the malware’s capabilities and the use of referral-based monetization methods, the researchers don’t believe this to be an act of a state-sponsored actor like Turla.
“So with this paper, we’d like to present our findings regarding using this particular piece of malware, even though the connection to Turla is not possible due to its threats,” explain the Lab52 researchers.

Be sure to keep malware out

The users of Android devices are advised to check the app permissions they’ve been granted, which is relatively simple for versions of Android 10 and up and to revoke permissions that are deemed too risky.

Additionally, beginning with Android 12, the OS provides notifications when the microphone or camera works. If these are missing, it could be spyware within your device.

They are particularly risky when incorporated into IoTs with outdated Android versions, which generate money for remote operators for extended periods without anyone knowing the risk.

(Image credit: quietbits/Shutterstock)