Cybersecurity researchers from Lab52 have identified a new Android malware called Process Manager, capable of recording the target endpoint’s audio, as well as read and send SMS messages.
While the malware does seem to share a few similarities with the popular Russian state-sponsored threat actor Turla, it would seem as if the group isn’t behind this particular variant, or the campaign.
The similarity between Process Manager and other Turla malware is in the fact that both use the same shared-hosting infrastructure.
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.
Hiding in plain sight
When installed, the Process Manager malware comes with a gear-shaped icon, to try and trick the victims into thinking the app is a core Android item. After that, it looks to obtain more than a dozen permissions, including access to the camera, the device’s location, the ability to read and send SMS messages, to read call logs and contacts, to record audio and read and write external storage.
It’s unclear how it obtains these permissions - if it tries to trick the victim into granting them, or if it abuses the Android Accessibility service to grant itself the permissions.
This is where the differences between this threat actor and Turla begin to show. If the malware gets the permissions, it removes its icon and runs in the background. Still, the user can know the app is running, due to the permanent notification that sits in the pulldown menu.
The goal that the threat actor is trying to achieve with Process Manager also doesn’t befit Turla. The Russian APT is usually engaged in cyber espionage. This malware installs Dhan: Earn Wallet cash, a popular money-generating referral system app found in the Play Store. It downloads the app through the referral system, to earn commission for the attackers.
It’s also unclear how Process Manager is being distributed, but it’s mostly likely making rounds through identity theft, social engineering, and phishing sites.
- If you're looking to stay safe from threats lurking on the internet, you should consider a strong firewall
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.