Security researchers from Lab52 have dissected a new piece of Android malware that they discovered while looking into the infrastructure of Russian cyberespionage group Turla.
Despite the fact that it’s the only malware family to connect to a Turla-associated IP address, Lab52 says the spyware can’t be linked to the notorious APT because of its threat capabilities.
When the malware is installed on a victim’s phone, it appears as Process Manager and displays a gear-shaped icon. However, after the threat’s initial run, the icon is removed.
When the malware is first run, it requests a long list of permissions, essentially giving it complete control over the device and its contents.
Screen lock/unlock, device location, network settings, camera, audio settings, call logs, contacts, external storage, SMS messages, phone state, and audio recording are all requested, as well as permissions to set the device global proxy and display on the foreground.
Following the configuration of the application, tasks are run to steal data from the device and add it to a JSON file. The malware also collects data on the installed packages as well as the user’s permissions for each package.
After gathering all necessary data, the malware contacts its command and control (C&C) server and sends the data it has gathered to the server.
The malware was also seen attempting to download and install the Rozdhan application from a specific location. The application, which is also available on Google Play, is ostensibly designed to help users earn money, implying that the attackers may try to use it to monetize device access.