Google's Threat Analysis Group (TAG), whose primary goal is to defend Google users from state-sponsored attacks, said today that Russian-backed threat groups are still focusing their attacks on Ukrainian organizations.
In a report regarding recent cyber activity in Eastern Europe, Google TAG security engineer Billy Leonard revealed that hackers part of the Turla
Russian APT group have also been spotted deploying their first Android malware.
They camouflaged it as a DDoS attack tool and hosted it on cyberazov[.]com, a domain spoofing the Ukrainian Azov Regiment.
"This is the first known instance of Turla distributing Android-related malware. The apps were not distributed through the Google Play Store, but hosted on a domain controlled by the actor and disseminated via links on third party messaging services," Leonard
explained.
"The app is distributed under the guise of performing Denial of Service (DoS) attacks against a set of Russian websites. However, the 'DoS' consists only of a single GET request to the target website, not enough to be effective."
Google TAG's analysts believe Turla's operators used the StopWar Android app developed by pro-Ukrainian developers (hosted at stopwar[.]pro) when creating their own
fake 'Cyber Azov' DDoS application.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
