Researchers uncovered a previously unknown, Russian-linked Android malware that masquerades as a system app called ‘Process Manager’ while collecting a wealth of user data.
According to Lab52 (via Bleeping Computer), the malware is linked to Turla, a Russian state-sponsored hacking group. Turla is known for using custom malware to target European and American systems, typically for espionage. Moreover, Turla was recently linked to the ‘Sunburst‘ backdoor used in the 2020 SolarWinds attack.
Lab52 identified a malicious APK — the file type used for Android applications — called ‘Process Manager.’ It’s not clear how threat actors distribute the APK to users. Based on the connection to Turla, it’s possible threat actors use phishing schemes or social engineering to get the app installed on devices.
Once installed, however, the app disguises itself with a gear-shaped icon to look like a system component. Coupled with the ‘Process Manager’ name, it could be easily mistaken for part of the Android system.
On first launch, Lab52 says the app prompts the user to grant it 18 permissions, including access to location, camera, call logs, SMS, the ability to read and write to storage, and more. With these permissions, Process Manager can effectively gather a huge amount of data about the device’s owner.
Lab52 noted it’s not clear if the app uses the Android Accessibility service to grant itself permissions, or if it tricks users into granting permission.
Further, once the malware gets the permissions, it removes its icon and runs in the background. Interestingly, the app shows a notification saying that it’s running, which seems counterintuitive for a spyware app that would want to remain hidden.
Lab52 also found that the malware installed additional apps on victims’ devices, including one called ‘Roz Dhan: Earn Wallet cash,’ a popular money earning app. The malware appears to install the app using its referral system, likely earning a commission for the creators.
All this seems relatively strange for spyware — Bleeping Computer suggests the unsophisticated nature may indicate the spyware is part of a larger system.
The publication also suggests some ways Android users can protect themselves. For one, check the ‘Permission manager’ feature in the Settings app (on my phone, it’s available in the ‘Privacy’ menu). It’s a good idea to revoke permissions for any apps you don’t trust, or that appear risky. Users should also pay attention to the new camera and microphone use indicators that appear on devices running Android 12. If these indicators show up when you’re not using the camera or microphone, it could indicate the presence of spyware on your device.