A new Android malware has been detected and detailed by a team of security researchers that records audio and tracks location once planted in the device. The malware uses the same shared-hosting infrastructure that was previously found to be used by a team of Russian hackers known as Turla. However, it is unclear whether the Russian state-supported group has a direct relation with the newly discovered malware. It reaches through a malicious APK file that works as an Android spyware and performs actions in the background, without giving any clear references to users.
Researchers at threat intelligence firm Lab52 have identified the Android malware that is named Process Manager. Once installed, it appeared on the device’s app drawer as a gear-shaped icon — disguised as a preloaded system service.
The researchers found that the app asks for a total of 18 permission when run for the first time on the device. These permissions include access to the phone location, Wi-Fi information, take pictures and videos from the inbuilt camera sensors, and voice recorder to record audio.
It is not clear whether the app receives permissions by abusing the Android Accessibility service or by tricking users to grant their access.
However, after the malicious app runs for the first time, its icon is removed from the app drawer. The app, though, still runs in the background, with its active status available in the notification bar.
The researchers noticed that the app configures the device on the basis of the permissions it receives to start executing a list of tasks. These include the details about the phone on which it has been installed as well as the ability to record audio and collect information including Wi-Fi settings and contacts.
Particularly on the audio recording part, the researchers discovered that the app records audio from the device and extracts it in the MP3 format in the cache directory.
The malware collects all the data and sends it in JSON format to a server that is located in Russia.
Although the exact source from which the malware reaches the devices is unknown, the researchers found that its creators have abused the referral system of an app called Roz Dhan: Earn Wallet Cash that is available for download on Google Play and has over 10 million downloads. The malware is said to download the legitimate app that eventually helps attackers install it on the device and makes profit out of its referral system.
It seems relatively uncommon for spyware since the attackers seem to be focused on cyber espionage. As Bleeping Computer notes, the strange behaviour of downloading an app to earn commissions from its referral system suggests that malware could be a part of a larger system that is yet to be discovered.
That said, Android users are recommended to avoid installing any unknown or suspicious apps on their devices. Users should also review the app permissions they grant to limit access of third parties to their hardware.