Experts spotted a new Android malware while investigating by Russia-linked Turla APT

Researchers spotted a new piece of Android malware while investigating activity associated with Russia-linked APT Turla.

Researchers at cybersecurity firm Lab52 discovered a new piece of Android malware while investigating into infrastructure associated with Russia-linked APT Turla.

The malicious code was discovered while analyzing the Penquin-related infrastructure, the experts noticed malware was contacting IP addresses that had been used as C2 in Russia-linked APT Turla’s operation.

One of the malicious binaries, an Android binary named Process Manager, was contacting the 82.146.35[.]240 address. Experts analyzed it and excluded the attribution to the Russian APT due to its capabilities.

Once installed on an Android device, the malware poses as Process Manager and a warning appears about the permissions granted to the application.

Below is the list of the granted permissions:

However, the number of permissions requested by the application amounts to 18:

PERMISSIONS	DESCRIPTION
ACCESS_COARSE_LOCATION	Access to the phone location.
ACCESS_FINE_LOCATION	Access to the location based on GPS.
ACCESS_NETWORK_STATE	View the status of all networks.
ACCESS_WIFI_STATE	View WIFI information.
CAMERA	Take pictures and videos from the camera
FOREGROUND_SERVICE	Allows to put in foreground
INTERNET	Allows to create internet sockets
MODIFY_AUDIO_SETTINGS	Allows to modify audio settings
REAL_CALL_LOG	Allows to read a telephone call
READ_CONTACTS	Allows to read contacts information
READ_EXTERNAL_STORAGE	Allows to read external storage devices
WRITE_EXTERNAL_STORAGE	Allows to write to the Memory Card
READ_PHONE_STATE	Allows to read phone status and its id
READ_SMS	Allows to read SMS stored on the SIM card
RECEIVE_BOOT_COMPLETED	Allows to start the app when the device is turned on
RECORD_AUDIO	Access to the audio recorder
SEND_SMS	Allows to send sms
WAKE_LOG	Prevents the device from locking/hibernating

After its first execution, the icon is removed and the application runs in the background, showing in the notification bar.

Upon configuring the application, the malicious code executes a series of tasks that steal information from the infected device and add it to a JSON.

The malicious code also gathers information on the installed packages and on the permissions the user has for each package.

“Once all the information has been collected in JSON format, the application contacts the C2 (82.146.35[.]240) and identifies the device by its model, version, id and manufacturer.” reads the analysis.

The researchers also noticed that the malware also attempts to download and install an application called Rozdhan using a goo.gl shorter.

The application is on Google Play and is used to earn money, has a referral system that is abused by the malicious code. The threat actors install it on the mobile device and make a profit.

“we want to share our analysis on the capabilities of this piece of malware, although the attribution to Turla does not seem possible given its threat capabilities.” concludes the report.

Who is behind this threat is still unclear, and did it use the Turla C2 infrastructure?

Is this a false flag operation of a third-party nation-state actor?

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Android malware)

[adrotate banner=”5″]

[adrotate banner=”13″]