A previously unknown Android malware has been linked to the Turla hacking group after discovering the app used infrastructure previously attributed to the threat actors.
Turla is a Russian state-supported hacking group known for using
custom malware to target
European and American systems, primarily for espionage.
The threat actors have recently been linked to the
Sunburst backdoor used in the
SolarWinds supply-chain attack in December 2020.
Turla Android spyware?
Researchers from
Lab52 identified a malicious APK [
VirusTotal] named “Process Manager” that acts as Android spyware, uploading information to the threat actors.
While it is not clear how the spyware is distributed, once installed, Process Manager attempts to hide on an Android device using a gear-shaped icon, pretending to be a system component.
Upon its first launch, the app prompts the user to allow it to use the following 18 permissions:
- Access coarse location
- Access fine location
- Access network state
- Access WiFi state
- Camera
- Foreground service
- Internet
- Modify audio settings
- Read call log
- Read contacts
- Read external storage
- Write external storage
- Read phone state
- Read SMS
- Receive boot completed
- Record audio
- Send SMS
- Wake log
