A team of security researchers has detected and detailed a new Android malware that records audio and tracks its location once planted in the device. The malware uses the same shared hosting infrastructure previously used by a team of Russian hackers known as Turla. However, it is unclear whether the Russian state-backed group has a direct relationship with the newly discovered malware. It reaches through a malicious APK file that acts like an Android spyware and performs actions in the background, without obvious references to users.
Researchers at the threat intelligence company Lab52 have identified the Android malware with the name Process Manager. Once installed, it appeared in the device’s app drawer as a gear-shaped icon – disguised as a preloaded system service.
The researchers found that the app asks for a total of 18 permissions when used on the device for the first time. These permissions include accessing the phone’s location, Wi-Fi information, taking photos and videos from the built-in camera sensors, and a voice recorder to record audio.
It’s not clear whether the app gains permission by abusing the Android Accessibility service or tricking users into granting them access.
However, after the malicious app is launched for the first time, the icon is removed from the app drawer. However, the app still works in the background, with its active state available in the notification bar.
The researchers noticed that the app configures the device based on the permissions it is given to run a to-do list. These include the details about the phone it is installed on, as well as the ability to record audio and collect information including Wi-Fi settings and contacts.
Particularly in the audio recording part, the researchers found that the app records audio from the device and extracts it in mp3 format into the cache folder.
The malware collects all the data and sends it in JSON format to a server located in Russia.
While the exact source from which the malware reaches the devices is unknown, the researchers found that its creators abused the referral system of an app called Roz Dhan: Earn Wallet Cash which can be downloaded on Google Play and has over 10 million downloads. has. The malware would download the legitimate app that ultimately helps attackers install it on the device and profits from the referral system.
It seems relatively unusual for spyware, as the attackers seem to focus on cyber espionage. As Bleeping Computer points out, the strange behavior of downloading an app to earn commissions from its referral system suggests that malware could be part of a larger system yet to be discovered.
That said, Android users are advised not to install unknown or suspicious apps on their devices. Users should also review the app permissions they grant to restrict third-party access to their hardware.