In a new wave of cyber attacks, Russian military personnel have become the target of Android spyware delivered through a malicious campaign involving a popular mapping software. The spyware, identified as Android.Spy.1292.origin, has been distributed under the guise of the legitimate Alpine Quest mapping app, a tool frequently used by Russian military personnel in the Special Military Operation zone.
Disguised Spyware in Alpine Quest Mapping Software
According to Doctor Web, a Russian cybersecurity vendor, the attackers have concealed the trojan inside older versions of the Alpine Quest mapping software. The malware was initially made available through a modified version of Alpine Quest Pro, a paid version that removes ads and analytics. It was also found being distributed in the form of an APK file via a fake Telegram channel.
The trojan version was initially distributed through a Russian app catalog and was later delivered directly as an app update. Once installed on an Android device, the malicious app mimics the original Alpine Quest app, staying undetected for a long period while collecting sensitive data. The spyware harvests information such as:
- Mobile phone number and accounts
- Contact lists
- Current date and geolocation
- Stored files
- App version
Additionally, the spyware sends the victim’s location to a Telegram bot every time it changes. The malware also supports the download of extra modules, enabling attackers to exfiltrate files of interest, particularly from messaging apps like Telegram and WhatsApp.
Doctor Web also pointed out that the spyware could expand its functionality by downloading new modules, broadening the scope of malicious tasks it can perform, such as hijacking confidential files and monitoring users’ movements. The cyberattack highlights the risks of downloading apps from unreliable sources.
Russian Military Organizations Targeted by Windows Backdoor
This malware campaign comes on the heels of a report from Kaspersky, which revealed that various large organizations in Russia, including those in the government, finance, and industrial sectors, have fallen victim to a sophisticated Windows backdoor. The backdoor was disguised as an update for the secure ViPNet networking software.
The backdoor is distributed in LZH archives containing a malicious executable, msinfo32.exe, which acts as a loader for an encrypted payload. Once the payload is loaded into memory, the backdoor enables attackers to:
- Steal files from infected systems
- Connect to a command-and-control (C2) server
- Launch additional malicious components
Kaspersky noted that the malware’s ability to access ViPNet networks made it particularly dangerous for targeted Russian organizations. It allows attackers to exfiltrate sensitive data and install further malware on compromised systems.
