This spy malware activates your microphone, geo-fencing and has virtually all access to a smartphone. It bears several distinctive signs of a group of Russian hackers. But certain elements cast doubt on this attribution.
You will also be interested
[EN VIDÉO] Cyber espionage: what are the threats? Interference in elections, theft of industrial data, hacking into military systems… Cyber espionage has taken off in the last two decades.
Here’s a new kid on the blockuniverse from malware. Identified by security company researchers Lab52it installs on mobiles android bearing the name of Process Manager and may impersonate a legitimate component. Once launched, it asks to grant up to 18 authorizations in order to access almost all the functions of the mobile, including listening to telephone conversations and geolocation. It’s not particularly discreet at first glance, but once it’s activated, theicon disappears and the app runs in the background.
With such a level of access to the telephone, it seems obvious that this is a application spy. Everything seems to link him to a group of Russian hackers called Turla. This APT group is known to be supported by the Kremlin. Its modus operandi is the use of spy software used mainly to precisely target European and American targets. Turla’s name thus appeared in the cyberattack SolarWinds of 2020, and more specifically in the back door Sunburst which allowed the group to break into the servers of many large American and European companies and organizations.
A difficult attribution
Apart from that the malware comes in the form of a APKi.e. an app installer for Android, the mode of contamination remains far from obvious. This vagueness could also indicate that the use of the malware is indeed targeted via phishing and social engineering methods that Turla is generally adept at. Another clue is that information collected by the device, such as text messages, recordings and event notifications, is sent to the command and control server over a IP adress located in Russia.
But here it is… According to the Lab52 researchers, the attribution remains risky since other elements do not coincide with the methods of the Russian hacker group. The malware indeed downloads additional payloads and in particular an application called Roz Dhan which allows you to earnmoney through a sponsorship system. A strange fact for a group adept at cyber espionage. Also, the app looks unsophisticated. It is therefore difficult at this point in the investigation to know if this malware really comes from Russian hackers.
Interested in what you just read?