Experts spotted a new Android malware while investigating by Russia-linked Turla APT

Pierluigi Paganini April 04, 2022

Researchers spotted a new piece of Android malware while investigating activity associated with Russia-linked APT Turla.

Researchers at cybersecurity firm Lab52 discovered a new piece of Android malware while investigating into infrastructure associated with Russia-linked APT Turla.

The malicious code was discovered while analyzing the Penquin-related infrastructure, the experts noticed malware was contacting IP addresses that had been used as C2 in Russia-linked APT Turla’s operation.

One of the malicious binaries, an Android binary named Process Manager, was contacting the 82.146.35[.]240 address. Experts analyzed it and excluded the attribution to the Russian APT due to its capabilities.

Android Malware

Once installed on an Android device, the malware poses as Process Manager and a warning appears about the permissions granted to the application.

Below is the list of the granted permissions:

However, the number of permissions requested by the application amounts to 18:

PERMISSIONSDESCRIPTION
ACCESS_COARSE_LOCATIONAccess to the phone location.
ACCESS_FINE_LOCATIONAccess to the location based on GPS.
ACCESS_NETWORK_STATEView the status of all networks.
ACCESS_WIFI_STATEView WIFI information.
CAMERATake pictures and videos from the camera
FOREGROUND_SERVICEAllows to put in foreground
INTERNETAllows to create internet sockets
MODIFY_AUDIO_SETTINGSAllows to modify audio settings
REAL_CALL_LOGAllows to read a telephone call
READ_CONTACTSAllows to read contacts information
READ_EXTERNAL_STORAGEAllows to read external storage devices
WRITE_EXTERNAL_STORAGEAllows to write to the Memory Card
READ_PHONE_STATEAllows to read phone status and its id
READ_SMSAllows to read SMS stored on the SIM card
RECEIVE_BOOT_COMPLETEDAllows to start the app when the device is turned on
RECORD_AUDIOAccess to the audio recorder
SEND_SMSAllows to send sms
WAKE_LOGPrevents the device from locking/hibernating

After its first execution, the icon is removed and the application runs in the background, showing in the notification bar.

Upon configuring the application, the malicious code executes a series of tasks that steal information from the infected device and add it to a JSON.

The malicious code also gathers information on the installed packages and on the permissions the user has for each package.

“Once all the information has been collected in JSON format, the application contacts the C2 (82.146.35[.]240) and identifies the device by its model, version, id and manufacturer.” reads the analysis.

The researchers also noticed that the malware also attempts to download and install an application called Rozdhan using a goo.gl shorter.

The application is on Google Play and is used to earn money, has a referral system that is abused by the malicious code. The threat actors install it on the mobile device and make a profit.

“we want to share our analysis on the capabilities of this piece of malware, although the attribution to Turla does not seem possible given its threat capabilities.” concludes the report.

Who is behind this threat is still unclear, and did it use the Turla C2 infrastructure?

Is this a false flag operation of a third-party nation-state actor?

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Android malware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment