Cybersecurity researchers from Lab52 have identified a new Android malware called Process Manager, capable of recording the target endpoint’s audio, as well as read and send SMS messages.
While the malware does seem to share a few similarities with the popular Russian state-sponsored threat actor Turla, it would seem as if the group isn’t behind this particular variant, or the campaign.
The similarity between Process Manager and other Turla malware is in the fact that both use the same shared-hosting infrastructure.
Hiding in plain sight
When installed, the Process Manager malware comes with a gear-shaped icon, to try and trick the victims into thinking the app is a core Android item. After that, it looks to obtain more than a dozen permissions, including access to the camera, the device’s location, the ability to read and send SMS messages, to read call logs and contacts, to record audio and read and write external storage.
It’s unclear how it obtains these permissions - if it tries to trick the victim into granting them, or if it abuses the Android Accessibility service to grant itself the permissions.
This is where the differences between this threat actor and Turla begin to show. If the malware gets the permissions, it removes its icon and runs in the background. Still, the user can know the app is running, due to the permanent notification that sits in the pulldown menu.
The goal that the threat actor is trying to achieve with Process Manager also doesn’t befit Turla. The Russian APT is usually engaged in cyber espionage. This malware installs Dhan: Earn Wallet cash, a popular money-generating referral system app found in the Play Store. It downloads the app through the referral system, to earn commission for the attackers.
It’s also unclear how Process Manager is being distributed, but it’s mostly likely making rounds through identity theft, social engineering, and phishing sites.
Via: BleepingComputer