Researchers at cybersecurity firm Lab52 have discovered a new Android malware with Russian links. The malware is disguised as a harmless Android app named “Process Manager”. The app tricks the user to grant itself as many as 18 permissions, which would allow it to invade your life in numerous ways. It can track your precise location, record audio from your device, access files, read messages, access the camera, and modify some device settings.
The malware app grants itself the following 18 permissions:
- Access coarse location
- Access fine location
- Camera
- Access network state
- Access Wi-Fi state
- Foreground service
- Internet
- Modify audio settings
- Read call log
- Read contacts
- Write external storage
- Read external storage
- Record audio
- Read phone state
- Read SMS
- Receive boot completed
- Send SMS
- Wake log
This app also asks for admin access which could allow it to monitor the screen unlock attempts, set screen lock password expiration, change screen lock, set the device global proxy, factory reset the device, and set storage encryption.
According to the report, the app shows a warning about the permissions granted when you first open it. The attached screenshots suggest that users can’t deny the permissions from the prompt screen. Once the malware has what it needs, the Process Manager app disappears from the app drawer and runs in the background. You can only see it in the notification bar.
With access to this many permissions, this malware has the potential to steal a lot of sensitive information from your device. Moreover, it can also pull off a few other sneaky moves such as installing apps from the Google Play Store and abusing them. The researchers found that the app tried to download an app called Roz Dhan: Earn Wallet Cash, which is used to earn money. The malware abuses its referral system to make a profit.
This Android malware has links to Russian state-sponsored hackers
According to Lab52 (via Bleeping Computer), the Process Manager malware app uses the same shared-hosting infrastructure Russian state-sponsored hacking group Turla was previously seen using. The attribution to Turla was not possible though. That’s because of its threat capabilities. If it was the work of a sophisticated APT (advanced persistent threat) group such as Turla, the app would have tried to remain hidden rather than showing a persistent notification. But this malware does send all the information collected to a server located in Russia.
Either way, if you happen to have this app on your Android smartphone, delete it immediately. Always make sure that you only install apps from trusted sources.
2022-04-04 15:05:22