Researchers have spotted what they believe is the first recorded instance of Android malware distributed by prolific state-sponsored Russian hacking group Turla.
Also known as Venomous Bear among many other monikers, the APT group is linked to Russia’s Federal Security Service (FSB), a successor to the KGB.
As such, it’s currently involved in operations targeting Ukrainian forces and pro-Ukrainian activists, many of whom have been encouraged to enlist in a volunteer “IT army” to DDoS Russian assets.
To do so, some are encouraged to use apps like StopWar, an Android application designed to make it easy for Ukraine supporters to DDoS pre-selected Russian sites direct from their smartphone.
It is this app, spotted by Google’s Threat Analysis Group (TAG) in March, that the Turla group has now spoofed in an attempt to infect users with malware.
The apps in question are hosted on a domain which spoofs the Ukrainian Azov Regiment, a far-right infantry unit currently fighting on the front line.
“The apps were not distributed through the Google Play Store, but hosted on a domain controlled by the actor and disseminated via links on third party messaging services,” said Google TAG security engineer, Billy Leonard.
“The app is distributed under the guise of performing Denial of Service (DoS) attacks against a set of Russian websites. However, the 'DoS' consists only of a single GET request to the target website, not enough to be effective.”
It’s unclear what the final malicious payload is, and in any case Leonard explained that the number of installs so far has been “miniscule.” However, the tactic highlights the varied measures and counter measures both sides are using in a bid to win the cyber war.
In March, security researchers warned pro-Ukrainian activists to be cautious when downloading DDoS tools from the internet as they may be booby-trapped with info-stealing Russian malware.