Android Malware from Russians Uses Your Camera, Records Audio, Tracks Location

Internet security researchers from Lab52 have spotted a malicious APK linked to Turla – a hacking group sponsored by the Russian government. The malware innocently calls itself “Process Manager” and seeks 18 user permissions that allow it to take over the smartphone camera, record user audio, and track user information.

The spyware installs itself on your phone before requesting permissions to user’s access Wi-Fi state, access coarse and fine locations, camera, read and write external storage, call log, audio settings, SMS, and other phone functionalities. Then, using the Android Accessibility service, the malware grants these permissions to itself before disappearing from users’ phones.

After it is no longer traceable in Android smartphones, it leaves a telltale notification that says “Process Manager is running”. Why the hackers leave this notification message is not known, given that they are trying to hide their activities. But the untraceable malware downloads “Roz Dhan: Earn Wallet Cash,” a legit Play Store app that earns money for users based on a referral system.

The Russian malware also downloads several malicious payloads that record users’ audio communications, read SMS, access phone logs, and track users’ locations which are then sent in JSON format to a command and control server at 82.146.35.240. This technique of distributing the APK is relatively new, but Turla had been known to employ all tricks in the book to go after American and European targets.

Tech analysts believe Process Manage is part of a shared infrastructure that enables the Russian hacking group to obliterate its tracks and confuse investigators.

Android device users are warned to not grant permissions to Process Manager or any unknown app. They are also warned to review the app permissions they have in place and to revoke anyone that looks fishy. Users with Android 12 will have their devices notify them if their smartphone has the microphone or camera working in the background, so identifying the activity of the malware becomes easier.