Lab52 specialists were able to link previously unknown malware for Android devices with the hacker group Turla. The researchers found that the application used an infrastructure previously associated with Turla.
Experts have identified a malicious APK Process Manager that plays the role of spyware for Android devices that sends data from them to hackers.
How the infection occurs is still unclear. As a rule, Turla distributes its malicious tools through phishing attacks, social engineering, watering hole attacks (malware infection through hacked sites visited by the victim), etc.
After installation, Process Manager tries to hide its presence on the device using a gear icon, posing as a system component.
After the first launch, the application receives 18 permissions:
Access to location data;
Access to network status;
Access to Wi-Fi status;
Access to the camera;
Permission to change audio settings;
Permission to read call logs;
Permission to read contact lists;
Permission to read data in external storage;
Permission to write data to external storage;
Permission to read the phone status;
Permission to read SMS messages;
Permission to record audio;
Permission to send SMS messages, etc.
It is not yet clear whether the malware uses the Android Accessibility service to get permissions, or requests them from the user.
After receiving permissions, the spyware removes its icon and runs in the background. However, its presence is indicated by a constant notification, which is uncharacteristic for spyware, whose main task is to conceal its presence on the device.
During the malware analysis, the Lab52 team also found that it downloads additional payloads to the device, and in one case the application was even downloaded directly from the Play Store.
The application is called Roz Dhan: Earn Wallet cash (10 million downloads) and has a referral system for generating money.
It seems that the malware downloads the APK through the referral system of the application in order to receive commissions. This is very strange, since Turla specializes in cyber espionage.
This fact, as well as the relatively simple implementation of the malware, suggest that the C&C server analyzed by the researchers is part of the infrastructure used by several groups.