Russian military personnel are being targeted by the recently discovered Android Malware, which steals their contacts and tracks their location.
The malware Alpine is hidden inside a modified app for Quest Mapping Software, used by hunters, players and Russian personnel among others stationed in the war zone in Ukraine. The app displays different tipographical maps online and offline use. The Trojanized Alpine Quest app is being pushed into a dedicated telegram channel and non -governmental Android app. The largest sales point of the Trojanized app is that it provides a free version of the Alpine Cast Pro, which is usually available only to payers only.
Looks like the original thing
The malicious module is named Android.Spy.1292.origin. A Blog PostResearchers at the Russian -based security firm, Dr. Web, wrote:
Since Android.Spy.1292.origin embeds into a copy of the real app, it looks and operates as a original, which does not detect it and allows to perform malicious tasks for a long time.
Each time it is launched, Trojan collects and sends the following data to the C&C server:
- User’s mobile phone number and their accounts;
- Contacts from the phone book;
- Current date;
- Current geographical location;
- Information about files stored on the device;
- App version.
If threatening actors have interest files, they can update the app with a module that steals them. The actors who threaten Android.Spy.1292.origin are especially interested in secret documents sent to Telegram and WhatsApp. They also show interest in the location logped by the file Loklog, Alpine Quest. The app’s modular design makes it possible to achieve additional updates that enhance its abilities.