Invasive Russian malware, specifically spyware masquerading as an Android app, was recently detected by cybersecurity researchers at Lab52.
According to the researchers' report, the spyware is linked to the Russian state-backed hacking group, Turla, known for using custom malware to target European and American systems for espionage, per Bleeping Computer.
The Google App Store no longer hosts the app in question for download as of the publication of this article.
Turla Spyware Details
According to Lab52's report, a warning appears informing an Android user about the permissions granted to the application. These include screen unlock attempts, locking the screen, setting the device global proxy, setting screen lock password expiration, setting storage encryption, and disabling cameras. Giving the app permissions will delete the app's icon from the screen and notify the user that it is running in the background.
The suspected Russian spyware requires different permissions from the user, but the Process manager app itself will request the user to permit it to access 18 phone features. These are:
- Access coarse location
- Access fine location
- Access network state
- Access Wifi state
- Camera
- Foreground service
- Internet
- Modify audio settings
- Read call log
- Read contacts
- Read external storage
- Write external storage
- Read phone state
- Read SMS
- Receive boot completed
- Record audio
- Send SMS
- Wake log
The spyware also allows itself to be added to the phone's backup, share info with other apps and be accessed by the device, and access secret content.
Bleeping Computer noted that these permissions, when granted, pose a critical risk to a user's privacy as it allows the app to track the device's location, send and read texts, and access the phone storage. The permissions will also let the hackers take pictures with the camera without the user knowing and record audio.
It also speculated that the spyware is part of a larger system based on its command and control server infrastructure, per Android Police.
It remains to be seen what implications a Russian connection to the malware entails.
How to Get Rid of Spyware and Malware
Android users must review app permissions already granted and revoke those that appear to expose them to privacy invasion and hacking, among other things.
Avast also suggests using a spyware removal tool to remove hidden spies and remove all traces of them from people's Android devices. Although these tools come with antivirus apps, many of them may be fake apps and could even be malware or other spyware in disguise.
Deleting suspicious apps can also save users from avoidable headaches in the future, per AVG. To do so, users should reboot their Android phones in safe mode to prevent third-party apps from running. After doing so, they should go to "Settings" and tap "Apps & Notifications" to access the info of the apps installed on the device. Tapping "Uninstall" on any app that looks suspicious will remove the troublesome app and spyware.
Performing a factory reset is the last resort for compromised users as it wipes everything the phone has, including the spyware. Before doing so, Avast strongly suggests these people have a backup made before the spyware issues started happening to prevent loss of photos, apps, and other important data on the device.