Researchers have discovered what they believe is the first recorded instance of Android malware distribution by prolific state-sponsored Russian hacking group Turla (aka Venomous Bear, amongst other names).
The active persistent threat (APT) group is linked to Russia’s Federal Security Service (FSB), a successor to the KGB.
It is currently involved in operations in operations targeting pro-Ukrainian activists and Ukrainian forces, many of whom have been encouraged to enlist in a volunteer “IT army” to DDoS Russian assets.
Some are encouraged to use apps like the Android application StopWar, designed to make it easy for Ukrainian supporters to DDoS pre-selected Russian sites direct from their smartphone.
The Turla group has spoofed this app in an attempt to infect users with malware, according to Google’s Threat Analysis Group (TAG), who spotted the malware in March.
These apps are hosted on a domain which spoofs the Ukrainian Azoy Regiment, a far-right infantry unit currently fighting on the front line.
Billy Leonard, a Google TAG security engineer, said: “The apps were not distributed through the Google Play Store, but hosted on a domain controlled by the actor and disseminated via links on third party messaging services.”
“The app is distributed under the guise of performing Denial of Service (DoS) attacks against a set of Russian websites. However, the ‘DoS’ consists only of a single GET request to the target website, not enough to be effective.”
The number of these apps installed, according to Leonard, is “miniscule.”