Android Spyware Hidden in Mapping Software Targets Russian Soldiers
A disturbing discovery has been made by Doctor Web researchers, who have uncovered a new Android spyware, tracked as Android.Spy.1292.origin, that targets Russian military personnel. The malicious code was found to be embedded in a fake Alpine Quest app, which is reportedly used by Russian soldiers for war zone planning.
According to the report published by Doctor Web, the trojanized Alpine Quest app was spread via Russian Android catalogs and distributed through a fake Telegram channel. Threat actors created a false version of the Alpine Quest Pro app, a program with advanced functionality, which they embedded their malicious code into. The aim was to exploit the popularity of the Alpine Quest software among athletes, travelers, hunters, and even Russian military personnel in the Special Military Operation zone.
The malware, Android.Spy.1292.origin, is designed to steal sensitive information from infected devices. It silently gathers data such as phone number, accounts, contact list, current date, geolocation, stored file details, and app version, which it transmits to a command-and-control server every time the app is launched. Additionally, the malware shares location updates directly with an attacker's Telegram bot whenever the device's location changes.
The malicious code also allows attackers to download and run extra modules to steal specific data, including confidential documents shared through Telegram and WhatsApp, as well as the locLog file generated by Alpine Quest. This enables Android.Spy.1292.origin to track user locations and exfiltrate sensitive files. The modular design of the malware allows it to expand its capabilities and perform a broader range of malicious activities.
"As a result, Android.Spy.1292.origin not only allows user locations to be monitored but also confidential files to be hijacked," concludes the report. "In addition, its functionality can be expanded via the download of new modules, which allows it to then execute a wider spectrum of malicious tasks."
The researchers from Doctor Web warn that users should take precautions when downloading Android apps. They recommend only downloading apps from trusted sources like official app stores and avoiding Telegram channels and shady sites, especially those offering free versions of paid apps. Users should also verify the authenticity of app distributors, as attackers often impersonate legitimate developers with similar names and logos.
Stay Safe Online
To protect yourself against such malicious attacks, follow these best practices:
- Only download Android apps from trusted sources like official app stores.
- Avoid Telegram channels and shady sites that offer free versions of paid apps.
- Verify the authenticity of app distributors before installing any app.
By taking these precautions, you can significantly reduce your risk of falling victim to malicious spyware like Android.Spy.1292.origin.