Thursday, December 5, 2024
HomeMalwareRussia Linked Android Malware Access Camera, Audio & Location

Russia Linked Android Malware Access Camera, Audio & Location

Published on

SIEM as a Service

Hacking group Turla is part of the Russian intelligence service that utilizes custom malware to perform cyberespionage mainly to target systems and entities from:-

  • Europe
  • America

It may be the Turla hacking group that is responsible for the widespread distribution of infamous malware on Android devices.

This malware not only allows hackers to gather information about you but also allows them access to your phone’s other important features as well. While in December 2020, these threat actors were implicated in the SolarWinds supply chain attack using the Sunburst backdoor.

- Advertisement - SIEM as a Service

Turla Group’s Android Spyware

Lab52 experts have found an APK that is dubbed “Process Manager,” it functions as an Android spyware application that uploads all the sensitive data to the server controlled by the threat actors to propagate the malicious code.

Process Manager hides on Android devices using a gear-shaped icon that looks like a system component, pretending that it is part of the operating system. So, currently, it is not entirely clear how the spyware is distributed.

Permissions accessed

In order for this app to function, your Android device needs to grant it 18 permissions, and here below we have mentioned all the permissions:-

  • Access coarse location
  • Access fine location
  • Access network state
  • Access WiFi state
  • Camera
  • Foreground service
  • Internet
  • Modify audio settings
  • Read call log
  • Read contacts
  • Read external storage
  • Write external storage
  • Read phone state
  • Read SMS
  • Receive boot completed
  • Record audio
  • Send SMS
  • Wake log

There is a high risk that your device will be tracked according to user permissions if all permissions are allowed. Moreover, the Android spyware is likely to continue to operate silently in the background, once the permissions have been granted by the user.

By exploiting all these permissions, hackers can access sensitive data like:-

  • Confidential information related to bank accounts. 
  • Email addresses.
  • Saved username & passwords.
  • Messages
  • Event notifications.
  • Logs.
  • Recordings.

A JSON file containing all this information was sent to 82.146.35.240, which is the main command and control server of the threat actors.

Abuse For Profit

On the Google Play Store, you can find the app “RozDhan: Earn Wallet Cash” that has more than 10,000,000 downloads, and it is being abused for profit. While the Lab52 team discovered that the app downloads additional payloads to the device.

It is likely to earn a commission through the referral system of the application, the spyware downloads the APK for you. However, it is somewhat strange that it appears to be the particular actor focused on cyber-espionage rather than just general hacking.

While it is always advisable for Android users to be cautious when downloading apps to their smartphone. Moreover, the app permissions should be reviewed periodically to ensure that they are not putting the privacy and security of the user at risk.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Weaponized Word Documents Attacking Windows Users to Deliver NetSupport & BurnsRAT

The threat actors distributed malicious JS scripts disguised as legitimate business documents, primarily in...

ElizaRAT Exploits Google, Telegram, & Slack Services For C2 Communications

APT36, a Pakistani cyber-espionage group, has recently upgraded its arsenal with ElizaRAT, a sophisticated...

New CleverSoar Malware Attacking Windows Users Bypassing Security Mechanisms

CleverSoar, a new malware installer, targets Chinese and Vietnamese users to deploy advanced tools...