Be careful, if a small circular icon, representing a gear, appears in your notification bar on your Android smartphone. It could be spyware, researchers from the Spanish cybersecurity company Lab52 have just revealed. Hidden behind this application called Process Manager, which may have been inadvertently downloaded after clicking on a link, malware only requires a click of curiosity to get started.
Whoever clicks is immediately offered to accept a whole series of authorizations. GPS, list of incoming and outgoing calls, list of contacts, camera, coordinates of the wi-fi networks used and above all listening to telephone conversations: in total, these are 18 permissions that you will have to give, hackers taking advantage of bad you have the habit of allowing all cookies or other notifications on a daily basis when connecting to websites or applications. A bit like when you accept without reading the famous general conditions of use.
“The software and its technique are not very sophisticated”, even surprised Benoit Ferault, cybersecurity expert at Quarkslab, a French company specializing in security research, whom we contacted. Then the software will scan and siphon all the data from your phone and send it to a server in Russia. The application then disappears from your home screen. “But it works in the background and stays in the notification bar, which is not the most discreet,” comments our cybersecurity expert.
The thesis of Russian hackers working for the Kremlin questioned
In their analysis, the experts explain that they were able to identify an IP address (an identification number assigned to a computer connected to an Internet network) located in Russia. “Because the server to which this software is connected was used for a while by the Russian state. Except that these IP addresses can be bought on the black market and can be reused by someone else,” continues Benoit Ferault. But beware, the current context of war reinforces this feeling of suspicion towards this country.
Lab52 researchers have in any case identified an infrastructure that is attributed to the FSB, the Russian security services. Their hypothesis: what is hiding behind this attack, the group of Russian hackers Turla, also called “Snake” or “Uruburos”. A group financed by the Kremlin and which could be involved in the piracy, in 2020, of SolarWinds, an American software publisher.
However, if certain codings of this software indeed contain the Cyrillic alphabet, nothing makes it possible to ensure that they are indeed the men of Turla. “We find many pieces of software already used by this group, but nothing allows us to affirm that it is really them. If the pirates had significant (financial) resources for espionage, they would surely have chosen to make it completely invisible, ”he judges.
Especially since this piracy also leads to the downloading of a popular Indian application (10,000,000 downloads) with a very widespread money-generating referral system in India: “Roz Dhan Earn money on your wallet “. Indeed, thanks to a sponsorship package, for each download of this Indian application, hackers recover commissions.
To protect you, antivirus software exists. “Phones are also increasingly secure,” says the Quarkslab expert. Proof of the weaknesses of this software, users can also simply delete the application. This reinforces the doubt about its origin, the hackers of Turla being more accustomed to cyber espionage, in particular officials or diplomats, having sensitive data, than ordinary citizens. The extent of this attack is not known. But as usual, it aims to recover as much data as possible, which can always be monetized on the Dark Web.