Smartphones have lots of sensors. And because those devices connect to the internet, they can be targeted by a mass surveillance campaign conducted by hackers.
This time, a previously unknown Android malware has been spreading, spying on Android users through an app called the 'Process Manager'. The hacking campaign is allegedly linked to Turla, a state-sponsored hacking group from Russia.
The group has been linked to a number of espionage targeting European and American citizens.
Researchers from Lab52 who discovered it, said that upon installation, the app in question will instantly hide on victims' Android device using a gear-shaped icon, pretending to be a system component.
Persistent, the malware access victims' camera to see what it sees, and microphone to hear what it hears.
The app can also track locations, send or read text messages, and access victims' storage to see what's inside it.
In order to do what it must do, the app asks for tons of permissions.
In total, the app asks for 18 different permissions:
- Access to the phone location.
- Access to the location based on GPS.
- View the status of all network.
- View Wi-Fi information.
- Take pictures and videos from the camera.
- Allows to put in foreground.
- Allows to create internet sockets.
- Allows to modify audio settings.
- Allows to read a telephone call.
- Allows to read contacts information.
- Allows to read external storage devices.
- Allows to write to the Memory Card.
- Allows to read phone status and its ID.
- Allows to read SMS stored on the SIM card.
- Allows to start the app when the device is turned on.
- Access to the audio recorder.
- Allows to send SMS.
- Prevents the device from locking/hibernating.
If everything is granted, the spyware can remove the app icon, and runs quietly in the background.
While researching the app, the researchers at Lab52 also found that the app can download additional payloads to be installed on victims' device, and found a case of an app fetched directly from the Play Store.
The app is named 'Roz Dhan: Earn Wallet cash,' which is an app featuring a money-generating referral system.
The spyware reportedly downloads the apps' APK file through the app's referral system, likely to earn a commission.
The researchers linked the app to the Turla hacking group after discovering that the app used infrastructure previously attributed to the threat actors.
It was discovered that the information that is collected from infected devices is sent in the JSON format to a command and control server with an IP address in Russia.
"During our analysis of the Penquin-related infrastructure we reported in our previous post, we paid special attention to the malicious binaries contacting these IP addresses, since as we showed in the analysis, they had been used as C2 of other threats used by Turla," said the researchers in a blog post.
"One threat that makes contact with the 82.146.35[.]240 address in particular caught our attention, as it was the only one that contacts against that IP and it was an Spyware for Android devices."
However, the researchers added that "the attribution to Turla does not seem possible given its threat capabilities."