A new “malware” of Russian origin has been identified by the security threat firm Lab52. Process Manager is the name of this malicious “software” that is capable of steal data, record audio and video and track location while working in the background on Android OS devices.

Lab52 has identified this malicious agent that uses the same shared hosting infrastructure used by a group of cyber criminal of Russian origin named Turla. According to the information collected by Europa Press, it is unknown if Process Manager is backed by Turla or if it has any connection or direct relationship with this campaign, also known as Snake or Uroburos,

This “software”, which is also of Russian origin, reaches the devices through a apk-file malicious software that works as “spyware” on Android and steal data in the background without users’ knowledge.

As the researchers have determined, once installed, the “app” is placed in the applications menu and displays a gear icon that users can get confused with the Settings menu.

Also, when it is run for the first time on the device, it requires a total of 18 permits to access the Location from the phone to lock and unlock of screen, to the information of the networks Wifi or to the sensors of the camera built into the terminal.

Other permissions requested by this application are access to phone calls or the information of contacts and you can launch the app when the device is on, send SMSwrite on the memory card or read devices external storage.

Once the application has been opened for the first time, its icon is removed from the applications menu and it runs in the backgroundas it appears in the notification bar.

In this way, in addition to stealing confidential information, it is capable of take photos or videos, as well as record audio from the voice recorder that usually comes pre-installed on these mobiles.

In this case, the application manages to extract these recordings in mp3 format in the cache directory and, together with the rest of the data, sends them in JSON format to a server located in Russia.

At the moment, it is unknown where this “malware” comes from, but researchers have found clues in another application called Ro Dhan: Earn Wallet Cash which until now was available on Google Play.

Categorized in: