Russian military staff are targeted with recently discovered Android malware that steal their contacts and follow their location.
Malware is hidden in a modified application for Alpine Quest Mapping Software, which is used by, among other things, hunters, athletes and Russian staff parked in the war zone in Ukraine. The application displays various topographic cards to be used online and offline. The Alpine Quest Alpine Trojanized application is put on a dedicated telegram channel and in the unofficial standards of Android App. The main sale of the Trojanized application is that it provides a free version of Alpine Quest Pro, which is generally available only for paid users.
Looks like the real thing
The malicious module is named Android.Spy.1292.origin. In a blogThe researchers of the security company based in Russia, Dr.web, wrote:
Because Android.Spy.1292. Origin is integrated into a copy of the authentic application, it seems and works like the original, which allows it to remain unteashed and perform malware for longer periods.
Whenever it is launched, the Trojan collects and sends the following data to the C&C server:
- the user’s mobile phone number and their accounts;
- contacts from the directory;
- the current date;
- current geolocation;
- information on files stored on the device;
- the application version.
If there are files of interest to threat actors, they can update the application with a module that steals them. The threat actors behind Android.sspy.1292. Origin are particularly interested in confidential documents sent by Télégramme and WhatsApp. They also show interest in the Loclog file, the location journal created by Alpine Quest. The modular design of the application makes it possible to receive additional updates which still expand its capacities.
