A malicious variant of the widely-used Alpine Quest navigation app has emerged, specifically designed to infiltrate Russian military Android devices. Security experts at Doctor Web have identified this modified application as harboring the Android.Spy.1292.origin spyware, which is adept at collecting sensitive information and executing remote commands.
Spyware Functions and Targeting Strategy
Alpine Quest, favored by outdoor enthusiasts for its offline mapping capabilities, has also become a tool for military personnel operating in remote areas of Russia. This dual-use nature provided an ideal façade for cyber attackers, who cleverly repackaged an outdated version of the app and distributed it as a free download via a deceptive Telegram channel. Users were directed to an app store tailored for Russian audiences, where the compromised software was marketed as a premium version of the legitimate app.
Upon installation, the spyware begins its covert operations. Each time the app is launched, it transmits a wealth of data back to a remote server, including:
- User’s phone number
- Account details
- Contact list
- Geolocation data
- A catalog of files stored on the device
Additionally, the spyware communicates with a Telegram bot controlled by the attackers, relaying updated location information whenever the user moves.
Doctor Web’s investigation reveals that this spyware is not limited to mere tracking. It can be instructed to download additional modules tailored to extract specific types of content. The attackers seem particularly focused on documents exchanged through messaging platforms like Telegram and WhatsApp. Furthermore, the spyware actively searches for a file named locLog, generated by Alpine Quest, which meticulously records user movements.
The integration of spyware with a functioning version of the app allows it to operate discreetly, evading detection for extended periods. Its modular architecture enables the malware to adapt and expand its capabilities in alignment with the attackers’ evolving objectives.
In light of these developments, Doctor Web strongly advises users against downloading applications from unofficial sources, even when they promise free access to premium features. It is prudent to exercise caution even on official app stores, as malicious applications have occasionally bypassed review processes on platforms like Google Play and the App Store.
As of now, the identity of the group orchestrating this campaign remains unknown, and it is uncertain whether the operation is of domestic or foreign origin. However, previous similar incidents have been associated with Ukrainian hacktivist factions, including Cyber Resistance, also recognized as the Ukrainian Cyber Alliance. In 2023, they reportedly targeted the spouses of Russian military personnel to extract sensitive and personal information. Despite these connections, no definitive attribution has been established for the group responsible for this spyware initiative.
