Researchers Discover New Android Spyware Linked to Russia’s Turla Hackers

An Android spyware application has been discovered that acts as a “Process Manager” service in order to capture sensitive data from infected devices. The application, which has the package name “com.remote.app,” establishes communication with a remote command-and-control server, 82.146.35[.]240, which has previously been identified as infrastructure belonging to the Turla hacking gang located in Russia.

According to Lab52 researchers,

When the application is run, a warning appears about the permissions granted to the application. These include screen unlock attempts, locking the screen, setting the device global proxy, setting screen lock password expiration, setting storage encryption, and disabling cameras.

Researchers Discover New Android Spyware Linked to Turla Hackers

Once “activated,” the virus hides its gear-shaped icon on the home screen and runs in the background, exploiting the app’s broad capabilities to access the device’s contacts and call history, track its location, send and read messages, access external storage, snap photos, and record audio.

The data collected is saved in JSON format and then sent to the remote server specified earlier. Despite the use of the same C2 server, Lab52 claims it doesn’t have enough evidence to link the malware to the Turla organization. The actual initial access vector used for delivering the malware and the campaign’s intended targets are also unknown at this time.

However, the rogue Android software also tries to download a legitimate app called Roz Dhan (Hindi for “Daily Wealth”), which has over 10 million downloads and allows users to earn cash incentives by completing surveys and quizzes. In this regard, the researchers said,

The application, [which] is on Google Play and is used to earn money, has a referral system that is abused by malware. The attacker installs it on the device and makes a profit.

Check out? Hackers Distributing Trojanized DeFi Wallet Apps to Steal Crypto