Researchers spotted a new piece of Android malware while investigating activity associated with Russia-linked APT Turla.

Researchers at cybersecurity firm Lab52 discovered a new piece of Android malware while investigating into infrastructure associated with Russia-linked APT Turla.

The malicious code was discovered while analyzing the Penquin-related infrastructure, the experts noticed malware was contacting IP addresses that had been used as C2 in Russia-linked APT Turla’s operation.

One of the malicious binaries, an Android binary named Process Manager, was contacting the 82.146.35[.]240 address. Experts analyzed it and excluded the attribution to the Russian APT due to its capabilities.

Once installed on an Android device, the malware poses as Process Manager and a warning appears about the permissions granted to the application.

Below is the list of the granted permissions:

However, the number of permissions requested by the application amounts to 18:

PERMISSIONSDESCRIPTIONACCESS_COARSE_LOCATIONAccess to the phone location.ACCESS_FINE_LOCATIONAccess to the location based on GPS.ACCESS_NETWORK_STATEView the status of all networks.ACCESS_WIFI_STATEView WIFI information.CAMERATake pictures and videos from the cameraFOREGROUND_SERVICEAllows to put in foregroundINTERNETAllows to create internet socketsMODIFY_AUDIO_SETTINGSAllows to modify audio settingsREAL_CALL_LOGAllows to read a telephone callREAD_CONTACTSAllows to read contacts informationREAD_EXTERNAL_STORAGEAllows to read external storage devicesWRITE_EXTERNAL_STORAGEAllows to write to the Memory CardREAD_PHONE_STATEAllows to read phone status and its idREAD_SMSAllows to read SMS stored on the SIM cardRECEIVE_BOOT_COMPLETEDAllows to start the app when the device is turned onRECORD_AUDIOAccess to the audio recorderSEND_SMSAllows to send smsWAKE_LOGPrevents the device from locking/hibernatingAfter its first execution, the icon is removed and the application runs in the background, showing in the notification bar.

Upon configuring the application, the malicious code executes a series of tasks that steal information from the infected device and add it to a JSON.

The malicious code also gathers information on the installed packages and on the permissions the user has for each package.

“Once all the information has been collected in JSON format, the application contacts the C2 (82.146.35[.]240) and identifies the device by its model, version, id and manufacturer.” reads the analysis.

The researchers also noticed that the malware also attempts to download and install an application called Rozdhan using a goo.gl shorter.

The application is on Google Play and is used to earn money, has a referral system that is abused by the malicious code. The threat actors install it on the mobile device and make a profit.

“we want to share our analysis on the capabilities of this piece of malware, although the attribution to Turla does not seem possible given its threat capabilities.” concludes the report.

Who is behind this threat is still unclear, and did it use the Turla C2 infrastructure?

Is this a false flag operation of a third-party nation-state actor?

Follow me on Twitter: @securityaffairs and Facebook

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, Android malware)

The post Experts spotted a new Android malware while investigating by Russia-linked Turla APT appeared first on Security Affairs.