Russian hackers have been linked to several high-profile cyberattacks, including interfering in the 2016 US presidential campaign. The Kremlin’s motives in carrying out these attacks aren’t always clear, but generally, they are intended to sow chaos, create distrust, and coincidentally line the hackers’ — or their sponsors’ — pockets as well. Russian state-supported hackers aren’t just interested in going after targets in the US or Ukraine, either. The Turla group — state-sponsored Russian hackers first identified in 2020 — has been using some particularly sneaky Android malware buried inside a seemingly innocent app.
By way of Bleeping Computer, we learn that cybersecurity researchers with Lab52 have uncovered a piece of spyware masquerading as a helpful Android tool called “Process Manager.” The malware is designed to look like a harmless APK, but once installed, it begins collecting sensitive information and sending it back to the attackers. Once you download it, the app asks for 18 permissions, including access to messaging, location, and audio recording functions. Researchers are unsure as to how the malware is granting itself permission, but malicious code often does this by leveraging the Android Accessibility service.
Once the malware has what it needs, it pulls another sneaky move and removes its icon before silently running in the background. By pulling this disappearing act, it relies on a lack of user attention — a kind of “out of sight, out of mind” approach to owning your device. But for one thing, that is — a permanent notification that says “Process Manager is running.” There are several unknowns regarding this malware attack, but it is unique, according to researchers, as the app also downloads multiple extra malicious payloads including a money-earning Play Store app named “Roz Dhan: Earn Wallet cash” that appears legit.
Bleeping Computer speculates that the malicious APK, based on its command and control server infrastructure, is part of a larger system, and advises anyone with an Android device to double-check what app permissions they’ve given to their apps, revoking any that might put them at risk.