Turla is a Russian malware group, which is found involved in recent anonymous malicious acts. The group was basically used for spying purposes by the Russian state against its potential rivals. Now an Android malicious app is found associated with Turla, which was secretly using the location and other information for tracking and hacking purposes. Earlier the malware was found in connection with the Sunburst backdoor which was used in the huge attack that happened in December 2020, known as SolarWinds attack.
Lab52 has worked and found some interesting facts regarding the case. They also spotted a malware named as process manager which after installation to any android, starts behaving like a system’s component and gets into system software’s shape. This process manager was also involved in transferring the information to such malware. However, it is not clear how they were performing those tasks, which doors or ways they use, but after it’s launch, they were asking people to allow a total of 18 permission on their systems for running this app. The permissions include access to camera, storage, contacts, SMS, audios, location etc. Although this is a huge risk in itself as with these permissions, the malware can easily get access to the system’s main functions and can get any information and send it to threat actors.
Just after the process manager is allowed for all permits, it suddenly disappears from the vision and a permanent notification appears on the system that means that malware is being processed in your system. However, spyware usually keep themselves completely secret and hide their presence from any aspect. Anyway, after getting the permits, they uploaded all the desired information such as recordings, SMS, logs etc. and sent it to their controlling server.
Research also found that the spyware also caused downloading of extra packets that might be viruses or anything. In one of the found cases, the payload seemed to be downloaded without performing any action. That malicious app was indented to promote digital cash earning and had almost 10,000,000 downloads. Such types of actions are usually done to mislead the researchers and investigators to get distracted from the main focus. This helps to hide the main actors behind such activities.
Conclusively, after all this study, the Android users are suggested to be careful while giving permits to apps and do their complete research if found anything fishy in any app. Also evaluate the previous apps, their permissions and their activities. Fortunately android 12 OS identifies if any function is working in background like camera etc. it is a warning that the system is being occupied by any malware. However, if using Android 10 and so, then you must evaluate your device and nullify the apps immediately which seems strange or hazardous.
Read next: To Keep Your Android Devices Safe, Google Play Protect Now Cuts Out The Permissions Of Idle/Unused Apps