Researchers at Lab52 discovered a sneaky Android app that’s collecting a vast amount of sensitive data from a victim’s device and transporting back to hackers C2.
Masquerading with the name of Process Manager, this app is seemingly harmless until it grants itself a bunch of permissions, and starts running in the background constantly. Also, it deletes the app icon itself to avoid detection. Researchers linked this app to a Russian state-backed hacking gang called The Turla group.
New Malicious Android App From Russian Hackers
In the world of cybersecurity, nearly half of the cyber incidents are somehow linked to some Russian connections. Whether it be an underground forum, profit-based hackers, or state-backed hacking groups, Russian cyber teams are everywhere, most of the time.
A notable team among them is The Turla group, a Russian state-backed hacking group that was first discovered in 2020, is now back with a malicious Android app. Named the Process Manager, this seemingly harmless app is in the wild aiming the steal sensitive data from victims’ devices.
Spotted and detailed by Lab52 researchers, this spyware is masquerading as a helpful tool but grants itself a number of permissions without the user’s knowledge. How it’s able to do it isn’t known yet, but researchers state it’s possible by leveraging the Android Accessibility service.
So if a user unknowingly grants the app permission to Accessibility service, this app in turn grants itself 18 other permissions like location access, reading messages, audio recording, etc. And once it’s done permitting itself everything it needed, it wipes out the app icon automatically to stay undetected.
Yet, it runs silently in the background, and a permanent notification saying “Process Manager is running” remains. Researchers also said the app downloads multiple extra malicious payloads and are yet to study further.
