A new strain of Android malware has emerged, cleverly concealed within compromised versions of the Alpine Quest mapping application. This app has gained traction among Russian soldiers for its utility in operational planning within war zones.
Cyber attackers are promoting these trojanized versions as free, cracked alternatives to the premium Alpine Quest Pro, utilizing Telegram channels and Russian app catalogs for distribution. The legitimate AlpineQuest app is a widely respected GPS and topographic mapping tool, favored by adventurers, athletes, search-and-rescue teams, and military personnel for its offline functionality and accuracy.
The app is available in two iterations: a free Lite version with limited features and a paid Pro version that is devoid of tracking libraries, analytics, and advertisements. However, the recently discovered spyware, identified by researchers at the Russian mobile antivirus firm Doctor Web, is embedded within a fully operational Alpine Quest app, thereby minimizing suspicion and maximizing opportunities for data theft.
Upon activation, the malware embarks on a mission to pilfer communication data and sensitive documents from the device, potentially exposing critical information regarding military operations. The spyware executes several actions, including:
- Transmitting the user’s phone number, contacts, geolocation, file information, and app version to the attackers.
- Monitoring real-time location changes and relaying updates to a Telegram bot.
- Downloading additional modules designed to extract confidential files, particularly those exchanged via Telegram and WhatsApp.
- Searching for the ‘locLog’ file from Alpine Quest, which harbors location history logs.
Doctor Web has classified this previously undocumented spyware as ‘Android.Spy.1292.origin,’ although the report refrains from attributing its origins. Indicators of compromise are available for further investigation.
Source: Doctor Web
Turning the tables
This tactic of targeting military personnel has historical roots in Russian hacking operations, often associated with state-sponsored threat groups engaged in intelligence gathering for the Russian army. In December 2022, cybercriminals exploited a compromised email account from the Ukrainian Ministry of Defense in an attempt to spread malware using the DELTA intelligence collection system as bait.
In October 2024, the Russian threat group known as ‘UNC5812’ directed its efforts toward Ukrainian conscripts, deploying Windows and Android malware through a fictitious agency named ‘Civil Defense.’ More recently, in February 2025, Google researchers uncovered that members of the APT44 group employed malicious QR codes to deceive targets into syncing their Signal accounts with unauthorized devices.
The revelation of the trojanized AlpineQuest app underscores the dual nature of these covert operations, illustrating that intelligence collection is a pivotal element in securing a strategic advantage on the battlefield.
