Lab52 researchers discovered that a new Android spyware application impersonating a "Process Manager" service has been communicating with infrastructure previously associated with Russian hacking group Turla
in an effort to exfiltrate sensitive information, according to The Hacker News.
"When the application is run, a warning appears about the permissions granted to the application. These include screen unlock attempts, lock the screen, set the device global proxy, set screen lock password expiration, set storage encryption, and disable cameras," said researchers. Activating the app prompts the malware to omit its icon from the home screen and proceed in accessing contacts and call logs, messages, and external storage, as well as capturing photos and recording audio from infected devices. The malware then collects the information in JSON format that is then sent to the remote server. While the evidence linking the spyware to Turla remains lacking, researchers found that the app also attempts to download the Roz Dhan app. "The application, [which] is on Google Play and is used to earn money, has a referral system that is abused by the malware. The attacker installs it on the device and makes a profit," said researchers.