Recent developments have unveiled a sophisticated Android malware targeting Russian military personnel, designed to pilfer contacts and monitor locations. This malware is cleverly disguised within a modified version of the Alpine Quest mapping application, a tool favored not only by hunters and athletes but also by military personnel operating in the conflict zones of Ukraine. The app, known for its comprehensive topographical maps, is now being exploited through a dedicated Telegram channel and various unofficial Android app repositories.
Looks like the real thing
The malware, identified as Android.Spy.1292.origin, is embedded within a legitimate copy of the Alpine Quest app, allowing it to mimic the original’s functionality seamlessly. This disguise enables the malware to evade detection while executing its malicious tasks over extended periods. According to a blog post by the Russia-based security firm Dr.Web, the trojan collects and transmits a range of sensitive data to its command and control server each time it is activated:
- The user’s mobile phone number and associated accounts
- Contacts from the phonebook
- The current date
- The current geolocation
- Information about files stored on the device
- The app’s version
Should the threat actors identify files of interest, they can easily update the app with additional modules designed to extract those files. Notably, the creators of Android.Spy.1292.origin have shown a keen interest in confidential documents exchanged via Telegram and WhatsApp, as well as the location log generated by Alpine Quest. The modular architecture of this malware allows for ongoing updates, enhancing its capabilities and posing an escalating threat to its unsuspecting users.
