A new Android malware has been detected and a team of security researchers has identified in detail which records the audio and tracks the location of the device once installed. The malware uses the same shared-hosting infrastructure that was previously used by a group of Russian hackers known as Turla. However, it is unclear whether the Russian state-backed group has a direct link to the newly discovered malware. It arrives via a malicious APK file that acts as an Android spyware and performs actions in the background, without any explicit mention of users.
Researchers at Threat Intelligence Firm Lab52 have identified an Android malware called Process Manager. Once installed, it appears as a gear-shaped icon in the device’s app drawer – in the guise of a preloaded system service.
Researchers have found that the app requires a total of 18 permissions when first run on the device. These permissions include phone location, Wi-Fi information, taking pictures and videos from the built-in camera sensor, and a voice recorder for recording audio.
It is unknown at this time what he will do after leaving the post.
However, after the malicious app is first run, its icon is removed from the app drawer. The app, though, still runs in the background, its active status is available in the notification bar.
Researchers have noticed that the app configures the device based on the permissions it receives to start executing a to-do list. This includes the ability to record audio as well as the details of the phone on which it is installed and to collect information including Wi-Fi settings and contacts.
Especially in the audio recording section, researchers have discovered that the app records audio from the device and releases it in MP3 format in the cache directory.
The malware collects all data and sends it in JSON format to a server in Russia.
Although the exact source of the malware is not known to reach devices, researchers have found that its makers have misused the referral system for an app called Roz Dhan: Earn Wallet Cash, which is available for download on Google Play and has more than 10 million downloads. The malware is asked to download a legitimate app that eventually helps the attacker install it on the device and gain from its referral system.
This seems to be relatively unusual for spyware as the attackers seem to be focused on cyber espionage. As blipping computer notes, the strange behavior of downloading an app to earn commissions from the referral system suggests that malware may be a part of a larger system that has not yet been discovered.
That said, Android users are advised not to install any unknown or suspicious apps on their devices. Users should also review app permissions to restrict third party access to their hardware.