This spy malware activates your microphone, geo-fencing and has almost all access to a smartphone. It bears several distinctive signs of a group of Russian hackers. But certain elements cast doubt on this attribution.
You will also be interested
[EN VIDÉO] Cyber espionage: what are the threats? Election interference, industrial data theft, hacking into military systems… Cyber espionage has exploded in the last two decades.
Here’s a new boy arounduniverse from malware† Identified by security company researchers Lab52it will be installed on mobile phones android with the name of Process Manager and may pose as a legitimate part. Once launched, it asks to grant up to 18 authorizations to access almost all functions of the mobile phone, including listening to phone calls and geolocation. It’s not particularly discreet at first glance, but once activated,icon disappears and the app runs in the background.
With such a level of access to the phone, it seems clear that this is a job application spy. Everything seems to link him to a group of Russian hackers called Turla. This APT group is known for the Kremlin’s support. The modus operandi is the use of spy software mainly used to accurately target European and American targets. Turla’s name thus appeared in the Cyber attack solar wind of 2020, and more specifically in the back door Sunburst which allowed the group to hack into the servers of many major US and European companies and organizations.
A difficult attribution
Apart from that, the malware comes in the form of a APKie an app installer for android, the mode of infection remains far from obvious. This vagueness may also indicate that the malware’s use is indeed targeted through phishing and social engineering methods that Turla is generally adept at. Another indication is that information collected by the device, such as text messages, recordings, and event notifications, is sent via a IP address located in Russia†
But here it is… According to the researchers at Lab52, the attribution remains risky because other elements do not coincide with the methods of the Russian hacker group. The malware does indeed download additional payloads and in particular an application called Roz Dhan that allows you to earn moneysilver through a sponsorship system. An odd fact for a group adept at cyber espionage. The app also looks unaffected. It is therefore difficult at this point in the investigation to know whether this malware really comes from Russian hackers.
Interested in what you just read?
