Skip links

Google: Kremlin-backed goons spread Andriod malware disguised as pro-Ukraine app

Kremlin-backed criminals are trying to trick people into downloading Android malware by spoofing a Ukrainian military group, according to Google security researchers.

According to the cloud giant’s Threat Analysis Group (TAG) – which has been tracking cybersecurity activity in Eastern Europe since Russia invaded its neighbor – the Turla group publicly attributed to Russia’s Federal Security Service (FSB), recently started promoting Android apps on a domain designed to look like the Ukrainian Azov Regiment

The CyberAzov app promises to “help stop Russian aggression against Ukraine” by deploying Denial of Service (DoS) attacks against set Russian targets, according to the phony website. In reality, the app sends a single GET request, which isn’t enough to launch an effective attack, and it likely contains a Trojan that infects the Android device, according to VirusTotal.

“This is the first known instance of Turla distributing Android-related malware,” Google security researcher Billy Leonard wrote in a TAG update this week.  

The Google Play Store did not distribute the malicious app. “We believe there was no major impact on Android users and that the number of installs was miniscule,” Leonard added.

The inspiration for the Turla CyberAzov app is likely another app, thought to be created by pro-Ukrainian developers. This one, called StopWar, also downloads a set list of Russian targets for DoS attacks. However, it continually sends requests to these websites until stopped by the user, Leonard said.

It was first seen in March, and has been flagged as malicious by a couple security vendors, according to VirusTotal.

In addition to developing malicious apps, Russian state-backed groups are also continuing to exploit the Follina vulnerability to target Ukrainian organizations, according to Google’s TAG.

Specifically, Russian GRU-affiliated gangs Sandworm and APT28 (also known as Fancy Bear and Stronium) are using the remote code execution (RCE) vulnerability in the Microsoft Windows Support Diagnostic Tool to attack Ukrainian media organizations. Sandworm has been actively attacking Ukrainian infrastructure since the war began, particularly with data wiping malware

And in April, the US government offered up to $10 million for vital information on each of six Russian GRU officers linked to the Sandworm gang, who, according to Uncle Sam, have plotted to carry out destructive cyber-attacks against American critical infrastructure.

Financially motivated crooks are also taking advantage of the Microsoft security hole to attack Ukraine, and Leonard noted a campaign from a group tracked by CERT-UA as UAC-0098 that, disguised the State Tax Service of Ukraine, used Follina to deliver malicious documents  in password-protected archives.

“We assess this actor is a former initial ransomware access broker who previously worked with the Conti ransomware group distributing the IcedID banking trojan based on overlaps in infrastructure, tools used in previous campaigns, and a unique cryptor,” Leonard wrote. ®