A previously unknown Android spyware has been found targeting users to steal their data. Its infrastructure has similarities with the Russian Turla group but the campaign cannot be attributed to it.
The Android malware
Researchers from Lab52 have discovered a malicious APK named Process Manager that acts as an Android spyware.
The spyware steals information such as logs, SMS, recordings, and event notifications, which are sent in JSON format to the C2 server located at 82[.]146[.]35[.]240.
Post-installation, the malicious application tries to hide in the device as a gear-shaped icon, impersonating a system component.
Upon its first launch, the application asks the user to allow it to use around 18 permissions, including access coarse location, fine location, network state, WiFi state, camera, and write external storage.
When the spyware receives all the desired permissions, its icon is removed and it runs in the background, with no major indication of presence except for notification.
While analyzing the spyware, the research team discovered that it downloads additional payloads to the device.
In one case, an application named Roz Dhan: Earn Wallet cash is fetched directly from the Play Store
This application features a money-generating referral system and already had a download count of over 10,000,000.
The spyware downloads the APK through the application's referral system for earning a commission, which is strange given that the associated threat actor is known for focusing on cyberespionage.
The market for malicious applications is thriving and it would cost dearly if you don’t heed the security warnings. Most importantly, avoid third-party sources for downloading an app.