A team of security researchers has detected and detailed a new Android malware that records audio and tracks location when implanted in devices. The malware uses the same shared hosting infrastructure that was previously found to be used by a Russian hacking team known as Turla. However, it is unclear whether the Russian state-backed group has a direct link to the newly discovered malware. It goes through a malicious APK file that works as Android spyware and performs actions in the background without any explicit reference to the user.
Researchers at threat intelligence firm Lab52 discovered Android malware called Process Manager. Once installed, it appears in the device’s app drawer as a gear-like icon — masquerading as a preloaded system service.
The researchers found that the app required a total of 18 permissions when it was first run on a device. These permissions include accessing phone location, Wi-Fi information, taking photos and videos from the built-in camera sensor, and recording audio using the voice recorder.
It’s unclear whether the app gained access by abusing the Android Accessibility service or by tricking users into granting them access.
However, after the malicious app runs for the first time, its icon is removed from the app drawer. However, the app still runs in the background and its activity status is available in the notification shade.
The researchers noticed that the app configures the device to start performing a series of tasks based on the permissions it gets. These include details about the installed phone, as well as the ability to record audio and collect information, including Wi-Fi settings and contacts.
Specifically in the recording section, the researchers found that the app records audio from the device and extracts it into a cache directory in MP3 format.
The malware collects all data and sends it in JSON format to servers located in Russia.
Although the exact source of the malware reaching the device is unknown, researchers found that its creator abused the recommendation system of an app called Roz Dhan: Earn Wallet Cash, available on Google Play, with downloads Over 10 million times. The malware is said to download legitimate apps that ultimately help attackers install them on devices and profit from its recommendation system.
Spyware appears to be relatively uncommon, as attackers seem to focus on cyber espionage. As noted by Bleeping Computer, the strange behavior of downloading apps to earn commissions from its referral system suggests that malware may be part of a larger system that has yet to be discovered.
That said, Android users are advised to avoid installing any unknown or suspicious apps on their devices. Users should also review the app permissions they grant to restrict third-party access to their hardware.