Friday, November 15, 2024
HomeMalwareRussia Linked Android Malware Access Camera, Audio & Location

Russia Linked Android Malware Access Camera, Audio & Location

Published on

Hacking group Turla is part of the Russian intelligence service that utilizes custom malware to perform cyberespionage mainly to target systems and entities from:-

  • Europe
  • America

It may be the Turla hacking group that is responsible for the widespread distribution of infamous malware on Android devices.

This malware not only allows hackers to gather information about you but also allows them access to your phone’s other important features as well. While in December 2020, these threat actors were implicated in the SolarWinds supply chain attack using the Sunburst backdoor.

- Advertisement - SIEM as a Service

Turla Group’s Android Spyware

Lab52 experts have found an APK that is dubbed “Process Manager,” it functions as an Android spyware application that uploads all the sensitive data to the server controlled by the threat actors to propagate the malicious code.

Process Manager hides on Android devices using a gear-shaped icon that looks like a system component, pretending that it is part of the operating system. So, currently, it is not entirely clear how the spyware is distributed.

Permissions accessed

In order for this app to function, your Android device needs to grant it 18 permissions, and here below we have mentioned all the permissions:-

  • Access coarse location
  • Access fine location
  • Access network state
  • Access WiFi state
  • Camera
  • Foreground service
  • Internet
  • Modify audio settings
  • Read call log
  • Read contacts
  • Read external storage
  • Write external storage
  • Read phone state
  • Read SMS
  • Receive boot completed
  • Record audio
  • Send SMS
  • Wake log

There is a high risk that your device will be tracked according to user permissions if all permissions are allowed. Moreover, the Android spyware is likely to continue to operate silently in the background, once the permissions have been granted by the user.

By exploiting all these permissions, hackers can access sensitive data like:-

  • Confidential information related to bank accounts. 
  • Email addresses.
  • Saved username & passwords.
  • Messages
  • Event notifications.
  • Logs.
  • Recordings.

A JSON file containing all this information was sent to 82.146.35.240, which is the main command and control server of the threat actors.

Abuse For Profit

On the Google Play Store, you can find the app “RozDhan: Earn Wallet Cash” that has more than 10,000,000 downloads, and it is being abused for profit. While the Lab52 team discovered that the app downloads additional payloads to the device.

It is likely to earn a commission through the referral system of the application, the spyware downloads the APK for you. However, it is somewhat strange that it appears to be the particular actor focused on cyber-espionage rather than just general hacking.

While it is always advisable for Android users to be cautious when downloading apps to their smartphone. Moreover, the app permissions should be reviewed periodically to ensure that they are not putting the privacy and security of the user at risk.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...

China-Nexus Actors Hijack Websites to Deliver Cobalt Strike malware

A Chinese state-sponsored threat group, identified as TAG-112, has been discovered hijacking Tibetan community...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...