2 weeks Ago By Dan Goodin
Russian military personnel are being targeted with recently discovered Android malware that steals their contacts and tracks their location. The malware is hidden inside a modified app for Alpine Quest mapping software, which is used by, among others, hunters, athletes, and Russian personnel stationed in the war zone in Ukraine. The app displays various topographical maps for use online and offline.
The trojanized Alpine Quest app is being pushed on a dedicated Telegram channel and in unofficial Android app repositories. The chief selling point of the trojanized app is that it provides a free version of Alpine Quest Pro, which is usually available only to paying users. Looks like the real thing The malicious module is named Android.
Spy.1292.origin.
In a blog post , researchers at Russia-based security firm Dr.Web wrote: If there are files of interest to the threat actors, they can update the app with a module that steals them. The threat actors behind Android.
Spy.1292.origin are particularly interested in confidential documents sent over Telegram and WhatsApp.
They also show interest in the file locLog, the location log created by Alpine Quest. The modular design of the app makes it possible for it to receive additional updates that expand its capabilities even further. Dr.
Web provided no details about who might be behind the creation and seeding of Android.Spy.1292.
origin. Assuming it was Ukraine—a reasonable guess given Russia’s ongoing invasion of its neighbor—the attack turns the tables. Intelligence agencies and security researchers have tracked a long series of cyberattacks Russia has waged on the neighboring country.
They include two hack-induced power outages, one in December 2015 and the other 12 months later . Each of them left hundreds of thousands of Ukrainians without power during one of the coldest months of the year. Russia has also been credibly accused of distributing wiper malware that took out thousands of satellite modems in Ukraine and infecting Starlink-connected devices in that country.
Separately, Moscow-based security company Kaspersky reported Thursday that government, finance, and industrial organizations in Russia are being targeted by a sophisticated backdoor. It targets computers connected to ViPNet networks, a software suite for creating secure networks. The malware is distributed inside LZH-formatted archives using a structure that’s typical of ViPNet updates.
.
