Description
An Android spyware application has been discovered that poses as a Process Manager service to capture sensitive data from infected devices.
Summary
The spyware, which has the package name com.remote.app, establishes communication with a remote command-and-control (C2) server, 82.146.35[.]240, which has previously been recognized as infrastructure belonging to the Turla hacking gang located in Russia.
How it works
It is not clear how the spyware is being leveraged but once installed, Process Manager attempts to hide on the infected device using a gear-shaped icon, pretending to be a system component. When the application is run, a prompt appears requesting the following permissions be granted to the application:
Access coarse location
Access fine location
Access network state
Access WiFi state
Camera
Foreground service
Internet
Modify audio settings
Read call log
Read contacts
Read external storage
Write external storage
Read phone state
Read SMS
Receive boot completed
Record audio
Send SMS
Wake log
These permissions pose a major threat to privacy because they allow the app to obtain a device”s location, send and read text messages, access storage, snap photos with the camera, and record audio.
It”s unclear whether the malware takes advantage of the Android Accessibility service to gain rights for itself or if it dupes the user into authorizing a request.
After acquiring authorization, the spyware hides its icon and runs in the background, leaving just a permanent notice to alert users to its presence. This aspect is quite strange for spyware that should usually strive to remain hidden from the victim.
The device”s data, which includes lists, logs, SMS, recordings, and event notifications, is delivered to the C2 server in JSON format.
The actual initial access vector used for delivering the malware and the campaign”s intended targets are unknown at this time.
The rogue Android software also tries to download a legitimate app called Roz Dhan which is Hindi for Daily Wealth. The Daily Wealth app has over 10 million downloads and offers users the chance to win cash prizes by completing surveys and quizzes. The application is on Google Play and is used to earn money, has a referral system that is abused by the malware. The attacker installs it on the device and makes a profit.
Remediation
Users of Android devices should evaluate the app permissions they have granted, which should be quite simple on versions of Android 10 and later and remove any that look to be excessively hazardous.
Additionally, starting with Android 12, the operating system pushes notifications when the camera or microphone is activated, thus if they appear orphaned, malware is there.
These tools are especially harmful when they are hidden inside IoTs (Internet of Things) that run older Android versions, making money for their remote operators for lengthy periods of time without anyone recognizing it.
The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.
PDF Download: New Android Spyware discovered.pdf
References
Lakshmanan, Ravie. (04th April 2022). Researchers Uncover New Android Spyware with C2 Server Linked to Turla Hackers. Retrieved from The Hacker News: https://thehackernews.com/2022/04/researchers-uncover-new-android-spyware.html
Toulas, Bill. (01st April 2022). Newly found Android malware records audio, tracks your location. Retrieved from Bleeping Computer: https://www.bleepingcomputer.com/news/security/newly-found-android-malware-records-audio-tracks-your-location/