Be careful if a small round icon, representing a gear wheel, appears in your notification bar on your Android smartphone. It could be spyware just revealed researchers from the Spanish cybersecurity firm Lab52. Hidden behind this application called Process Manager, which may have been accidentally downloaded after clicking a link, malware only requires a click of curiosity to get started.
Anyone who clicks is immediately offered a whole series of authorizations. GPS, list of incoming and outgoing calls, list of contacts, camera, coordinates of the wifi networks used and especially listening to phone calls: in total these are 18 permissions that you must give, hackers who abuse bad you have the habit to allow all cookies or other notifications on a daily basis when you connect to websites or applications. A bit like when you accept without reading the familiar terms and conditions of use.
“The software and the technology are not very advanced,” surprised even Benoit Ferault, cybersecurity expert at Quarkslab, a French company specializing in security research, which we contacted. Then the software will scan and transfer all the data from your phone and send it to a server in Russia. The application will then disappear from your home screen. “But it works in the background and stays in the notification bar, which isn’t the most discreet,” says our cybersecurity expert.
The claim of Russian hackers working for the Kremlin questioned
In their analysis, the experts explain that they were able to identify an IP address (an identification number assigned to a computer connected to an Internet network) in Russia. “Because the server this software is connected to has been used by the Russian state for a while. Except that these IP addresses can be bought on the black market and reused by someone else,” continues Benoit Ferault. But beware, the current war context reinforces this sense of mistrust towards this country.
In any case, Lab52 researchers have identified an infrastructure attributed to the FSB, the Russian security services. Their hypothesis: what lies behind this attack?the Russian hacker group Turla, also called “Snake” or “Uruburos”. A Kremlin-funded group that could be involved in SolarWinds’ 2020 Hackan American software company.
However, if certain encodings of this software do indeed contain the Cyrillic alphabet, nothing can be certain that they are indeed Turla’s men. “We find many pieces of software that are already being used by this group, but nothing allows us to confirm that they are real. If the pirates had significant (financial) resources for espionage, they would certainly have chosen to make it completely invisible,” he said.
Especially since this piracy also leads to the download of a popular Indian application (10,000,000 downloads) with a very widespread money-generating referral system in India: “Roz Dhan Earn money on your wallet”. Indeed, thanks to a sponsorship package, hackers get back commissions for every download of this Indian application.
Antivirus software exists to protect you. “Phones are also becoming more secure,” says the Quarkslab expert. As proof of the weaknesses of this software, users can also simply uninstall the application. This reinforces doubts about its origin, as Turla’s hackers are more accustomed to cyber espionage, especially officials or diplomats, who have sensitive data, than ordinary citizens. The extent of this attack is unknown. But as usual she wants recover as much data as possiblewhich can always be redeemed on the dark web†