Malware, Threat Management

Turla-related infrastructure leveraged by novel Android spyware

Share

Lab52 researchers discovered that a new Android spyware application impersonating a "Process Manager" service has been communicating with infrastructure previously associated with Russian hacking group Turla in an effort to exfiltrate sensitive information, according to The Hacker News. "When the application is run, a warning appears about the permissions granted to the application. These include screen unlock attempts, lock the screen, set the device global proxy, set screen lock password expiration, set storage encryption, and disable cameras," said researchers. Activating the app prompts the malware to omit its icon from the home screen and proceed in accessing contacts and call logs, messages, and external storage, as well as capturing photos and recording audio from infected devices. The malware then collects the information in JSON format that is then sent to the remote server. While the evidence linking the spyware to Turla remains lacking, researchers found that the app also attempts to download the Roz Dhan app. "The application, [which] is on Google Play and is used to earn money, has a referral system that is abused by the malware. The attacker installs it on the device and makes a profit," said researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.