Android malware linked to Russian attackers discovered can record audio and track your location

A new Android malware has been detected and detailed by a team of security researchers that records audio and tracks location once planted in the device. The malware uses the same shared hosting infrastructure used by a team of Russian hackers known as Turla. However, it is unclear whether the Russian state-backed group has a direct relationship to the newly discovered malware. It accesses a malicious APK file that functions as Android spyware and performs actions in the background, without giving clear credentials to users.

Researchers from threat intelligence firm Lab52 have identified Android malware named Process Manager. Once installed, it appeared on the device’s app drawer as a gear-shaped icon – disguised as a preloaded system service.

The researchers discovered that the app requests a total of 18 permissions when first run on the device. These permissions include access to the phone’s location, Wi-Fi information, taking photos and videos from the built-in camera sensors, and voice recorder to record audio.

It is unclear whether the app is granted permissions by abusing the Android Accessibility Service or tricking users into granting access.

However, after running the malicious app for the first time, its icon is removed from the app drawer. The app, however, still runs in the background, with its active status available in the notification bar.

The researchers noticed that the app configures the device based on the permissions it receives to start running a list of tasks. These include details about the phone it was installed on as well as the ability to record audio and collect information including Wi-Fi settings and contacts.

Especially on the audio recording part, the researchers discovered that the application records the audio of the device and extracts it in MP3 format in the cache directory.

The malware collects all the data and sends it in JSON format to a server located in Russia.

Although the exact source from which the malware reaches the devices is unknown, researchers found that its creators abused the referral system of an app called Roz Dhan: Earn Wallet Cash which is available for download on Google Play and has over 10 million downloads. The malware is said to download the legitimate application which ultimately helps the attackers to install it on the device and takes advantage of its referral system.

This seems relatively rare for spyware since attackers seem to focus on cyber espionage. As Bleeping Computer notes, the odd behavior of downloading an app to earn commissions from its referral system suggests that the malware could be part of a larger system that has yet to be discovered.

That said, Android users are recommended to avoid installing unknown or suspicious apps on their devices. Users should also review the application permissions they grant to limit third-party access to their hardware.


Leave a Reply

Your email address will not be published.

Back to top