One of the ways that cybercriminals have to distribute malware It is integrating it with Pirate software. Before smartphones, With ‘activated’ programs for Windows with which the user avoided paying the use license. Today, it is more common With the APK of Android applicationsthe most widespread operating system. For this reason, it has always been recommended Dr.Web recalled this week After discovering a malware whose objective is Russian military personnel.
This Trojan Spyware It is hidden in an APK (Android Package Kit, the file format used by the Android operating system to distribute and install applications) modified map app Alpine Quest. This application is usually used by hunters and athletes‘but also widely used by Russian military personnel in the area of special military operations’the euphemism with which Russia refers to the invasion of Ukraine.
Alpine Quest offers its users Topographic maps For both online and offline use. The malicious version is distributed through a specific channel of Telegram and in unofficial apps repositories for Android with the usual hook in these cases: offers the pro -paid version for free, of the application. A savings of a few rubles that can be very expensive to the Russian soldiers deployed in Ukraine.
The malicious component in the app is identified as Android.spy.1292.origin. As explained by Dr.Web researchers, the Spyware is integrated into a copy of the app that otherwise it is legitimate and offers the original appearance and functionalityallowing to operate without being detected for a longer time.
The data that Alpine Quest malware collects
Every time it runs, the Trojan collects and sends to the command and control server The following data:
- User phone number and associated accounts.
- Agenda contacts.
- Current date.
- Current geolocation.
- Information about the stored files on the device.
- APP version.
At the same time, Duplicates part of this information in the Telegram Bot of the attackers. For example, the Trojan sends geolocation data Every time the device location changes.
If attackers detect files of interest, they can order the Trojan to download and execute additional modules that will be used to steal the necessary files. Dr.WeB researchers have observed special interest in confidential documents sent by Telegram and WhatsAppas well as in the file Loclog which records locations and is generated by Alpine Quest. The modular app of the app allows to incorporate new capabilities through updates.
Dr.Web does not identify those responsible to create and distribute Android.spy.1292.origin. However, given the current war, It is likely to be a Ukrainian intelligence operation.