Cybersecurity researchers have revealed that Russian military personnel are the target of a new malicious campaign that distributes Android spyware under the guise of the Alpine Quest mapping software.
“The attackers hide this trojan inside modified Alpine Quest mapping software and distribute it in various ways, including through one of the Russian Android app catalogs,” Doctor Web said in an analysis.
The trojan has been found embedded in older versions of the software and propagated as a freely available variant of Alpine Quest Pro, a program with advanced functionality.
The Russian cybersecurity vendor said it also observed the malware, dubbed Android.Spy.1292.origin, being distributed in the form of an APK file via a fake Telegram channel.
While the threat actors initially provided a link for downloading the app in one of the Russian app catalogs through the Telegram channel, the trojanized version was later distributed directly as an APK as an app update.
What makes the attack campaign noteworthy is that it takes advantage of the fact that Alpine Quest is used by Russian military personnel in the Special Military Operation zone.
Once installed on an Android device, the malware-laced app looks and functions just like the original, allowing it to stay undetected for extended periods of time, while collecting sensitive data –
- Mobile phone number and their accounts
- Contact lists
- Current date and geolocation
- Information about stored files, and
- App version
Besides sending the victim’s location every time it changes to a Telegram bot, the spyware supports the ability to download and run additional modules that allow it to exfiltrate files of interest, particularly those sent via Telegram and WhatsApp.
“Android.Spy.1292.origin not only allows user locations to be monitored but also confidential files to be hijacked,” Doctor Web said. “In addition, its functionality can be expanded via the download of new modules, which allows it to then execute a wider spectrum of malicious tasks.”
To mitigate the risk posed by such threats, it’s advised to download Android apps only from trusted app marketplaces and avoid downloading “free” paid versions of software from dubious sources.
Russian Organizations Targeted by New Windows Backdoor
The disclosure comes as Kaspersky revealed that various large organizations in Russia, spanning the government, finance, and industrial sectors, have been targeted by a sophisticated backdoor by masquerading it as an update for a secure networking software called ViPNet.
“The backdoor targets computers connected to ViPNet networks,” the company said in a preliminary report. “The backdoor was distributed inside LZH archives with a structure typical of updates for the software product in question.”
Present within the archive is a malicious executable (“msinfo32.exe”) that acts as a loader for an encrypted payload also included in the file.
“The loader processes the contents of the file to load the backdoor into memory,” Kaspersky said. This backdoor is versatile: it can connect to a C2 server via TCP, allowing the attacker to steal files from infected computers and launch additional malicious components, among other things.”
