Researchers at cybersecurity firm Lab52 discovered a new piece of Android malware while investigating into infrastructure associated with Russia-linked APT Turla.
The malicious code was discovered while analyzing the Penquin-related infrastructure, the experts noticed malware was contacting IP addresses that had been used as C2 in Russia-linked APT Turla’s operation.
One of the malicious binaries, an Android binary named Process Manager, was contacting the 82.146.35[.]240 address. Experts analyzed it and excluded the attribution to the Russian APT due to its capabilities.
Once installed on an Android device, the malware poses as Process Manager and a warning appears about the permissions granted to the application.
Below is the list of the granted permissions:
However, the number of permissions requested by the application amounts to 18:
|ACCESS_COARSE_LOCATION||Access to the phone location.|
|ACCESS_FINE_LOCATION||Access to the location based on GPS.|
|ACCESS_NETWORK_STATE||View the status of all networks.|
|ACCESS_WIFI_STATE||View WIFI information.|
|CAMERA||Take pictures and videos from the camera|
|FOREGROUND_SERVICE||Allows to put in foreground|
|INTERNET||Allows to create internet sockets|
|MODIFY_AUDIO_SETTINGS||Allows to modify audio settings|
|REAL_CALL_LOG||Allows to read a telephone call|
|READ_CONTACTS||Allows to read contacts information|
|READ_EXTERNAL_STORAGE||Allows to read external storage devices|
|WRITE_EXTERNAL_STORAGE||Allows to write to the Memory Card|
|READ_PHONE_STATE||Allows to read phone status and its id|
|READ_SMS||Allows to read SMS stored on the SIM card|
|RECEIVE_BOOT_COMPLETED||Allows to start the app when the device is turned on|
|RECORD_AUDIO||Access to the audio recorder|
|SEND_SMS||Allows to send sms|
|WAKE_LOG||Prevents the device from locking/hibernating|
After its first execution, the icon is removed and the application runs in the background, showing in the notification bar.
Upon configuring the application, the malicious code executes a series of tasks that steal information from the infected device and add it to a JSON.
The malicious code also gathers information on the installed packages and on the permissions the user has for each package.
“Once all the information has been collected in JSON format, the application contacts the C2 (82.146.35[.]240) and identifies the device by its model, version, id and manufacturer.” reads the analysis.
The researchers also noticed that the malware also attempts to download and install an application called Rozdhan using a goo.gl shorter.
The application is on Google Play and is used to earn money, has a referral system that is abused by the malicious code. The threat actors install it on the mobile device and make a profit.
“we want to share our analysis on the capabilities of this piece of malware, although the attribution to Turla does not seem possible given its threat capabilities.” concludes the report.
Who is behind this threat is still unclear, and did it use the Turla C2 infrastructure?
Is this a false flag operation of a third-party nation-state actor?
(SecurityAffairs – hacking, Android malware)