- 3,017
- 282
- 1,730
Doctor Web specialists reported the discovery of spyware for Android, the main target of which is Russian military personnel. The Trojan is hidden in a modified version of the Alpine Quest mapping program and is distributed, among other things, through one of the Russian app stores.
The malware (Android.Spy.1292.origin in the company's classification) transmits information about contacts from the phone book and the geolocation of infected devices to its operators. In addition, the spyware collects data about files stored on devices and, upon command from attackers, can download additional modules to steal them.
Researchers explain that Alpine Quest allows you to use various maps both online and when there is no Internet connection. The program is popular among athletes, travelers and hunters, but has also found wide application among Russian military personnel in the special military operation zone.
The attackers integrated the malware into one of the older versions of Alpine Quest and distributed the malicious version under the guise of a publicly available version of the program with extended functionality, Alpine Quest Pro. To do this, a fake Telegram channel of the application was created, through which a link to download the program from one of the Russian application catalogs was distributed. Later, the same version of the program was distributed in the channel itself under the guise of an update. Since Android.Spy.1292.origin was embedded in a copy of the real application, after installation it looks and works like the original program, without raising suspicions in the user. Each time the Trojan is launched, it collects and transmits the following data to the control server:
Having received information about available files, the attackers can give the Trojan a command to download and run auxiliary modules, with the help of which it can steal the necessary data. The
analysis conducted by the researchers showed that the creators of the spyware are interested in confidential documents that users transmit via Telegram and WhatsApp messengers, as well as the locLog location log file created directly by Alpine Quest.
Experts remind that Android applications should only be installed from trusted sources, such as official software catalogs, and not downloaded from Telegram channels or from dubious sites (especially if we are talking about supposedly freely available versions of paid programs).
The malware (Android.Spy.1292.origin in the company's classification) transmits information about contacts from the phone book and the geolocation of infected devices to its operators. In addition, the spyware collects data about files stored on devices and, upon command from attackers, can download additional modules to steal them.
Researchers explain that Alpine Quest allows you to use various maps both online and when there is no Internet connection. The program is popular among athletes, travelers and hunters, but has also found wide application among Russian military personnel in the special military operation zone.
The attackers integrated the malware into one of the older versions of Alpine Quest and distributed the malicious version under the guise of a publicly available version of the program with extended functionality, Alpine Quest Pro. To do this, a fake Telegram channel of the application was created, through which a link to download the program from one of the Russian application catalogs was distributed. Later, the same version of the program was distributed in the channel itself under the guise of an update. Since Android.Spy.1292.origin was embedded in a copy of the real application, after installation it looks and works like the original program, without raising suspicions in the user. Each time the Trojan is launched, it collects and transmits the following data to the control server:
- user accounts and mobile phone number;
- contacts from the phone book;
- current date;
- current geolocation;
- information about files stored on the device;
- version of the application.
Having received information about available files, the attackers can give the Trojan a command to download and run auxiliary modules, with the help of which it can steal the necessary data. The
analysis conducted by the researchers showed that the creators of the spyware are interested in confidential documents that users transmit via Telegram and WhatsApp messengers, as well as the locLog location log file created directly by Alpine Quest.
Experts remind that Android applications should only be installed from trusted sources, such as official software catalogs, and not downloaded from Telegram channels or from dubious sites (especially if we are talking about supposedly freely available versions of paid programs).