Your Android phone may be next target of new malware associated with Russia
According to the security researchers of threat intelligence firm Lab52, Process Manager malware, once installed, acts as an app drawer to trick the user into navigating the interface of the phone.
In Short
- A new malware is targetting Android phones to access their mics and cameras.
- The malware may be linked to Russian hackers, the researchers have said.
- The malware may be spreading through an app called Roz Dhan: Earn Wallet Cash.
Your Android phone may be vulnerable to attack from a new malware that has links to Russian hackers, according to security researchers. Called Process Manager, the new malware targets Android phones to record audio using the microphone and track its location without the user’s knowledge. Researchers said that this malware uses the same shared-hosting infrastructure as the one once used by a group of Russian hackers called Turla. But whether the same hackers are behind the new malware is not clear right now.
According to the security researchers of threat intelligence firm Lab52, Process Manager malware, once installed, acts as an app drawer to trick the user into navigating the interface of the phone. The app drawer has a gear-shaped icon, so it is easy to fool users into tapping it instead of the original one. While the source of the malware is not certain, researchers said that hackers may have abused the referral system of an app called Roz Dhan: Earn Wallet Cash. This app is available on the Google Play Store with over 10 million downloads.
The malware-ridden app asks the user to grant as many as 18 system-level permissions the first time they open it, per researchers who mentioned their findings in a report. These permissions are related to the phone’s GPS location, camera, microphone, sensors, and Wi-Fi, among others, the researchers said.
The researchers explained that after the user has granted the app all the permissions, the icon removes itself but keeps running in the background. There is an icon persistently showing in the notification bar of the phone, but the user may not be able to take action on it.
This phoney app, after gaining access to system settings, begins to change the phone’s configuration to start executing the malicious code just so the microphone and the camera of the phone are accessible to hackers. The app was found to be saving audio recordings in MP3 format in the phone’s cache folder, while other confidential data such as the location is also stored. The malware then sends all the data in JSON format to a server located in Russia. The distribution method of the APK file is not clear, but if it is Turla, hackers may have used methods such as social engineering, phishing, and watering hole attacks.
How to save your phone from malware
Android phone users need to be vigilant about what websites they visit and what apps they download. Any suspicious app would masquerade as benign and try to trick users into granting system-level permissions. Thus, users should review the permissions that the app they just downloaded asks for during the installation. And in case the permissions are granted, Android 10 and higher versions allow users to deny permissions at any time. Android 12 also prompts users through coloured dots when the microphone and/or the camera of the phone are being accessed, which means they can immediately know when suspicious activity is taking place on the phone.