Thursday, April 24, 2025
Latest:
The Register

Booby-trapped Alpine Quest Android app geolocates Russian soldiers

TH Author

Russian soldiers are being targeted with an Android app specially altered to pinpoint their location and scan their phones for files, with the ability to exfiltrate sensitive documents if instructed.

The software in question is Alpine Quest, a legit topographic mapping tool popular among hikers, hunters, and more to the point, Russian military personnel operating in combat zones. A tampered version, with spyware dubbed Android.Spy.1292.origin injected into it, has been circulated by persons unknown, seemingly with the intent to infect the devices of President Putin’s war-fighters.

“Threat actors embedded Android.Spy.1292.origin into one of the older Alpine Quest app versions and distributed the trojanized variant under the guise of a freely available version of Alpine Quest Pro, a program with advanced functionality,” Russian security outfit Dr Web explained this week.

To spread the infected app, the snoops behind the caper created a bogus Telegram channel to pose as the app’s developer. “The channel provided a link for downloading the app in one of the Russian app catalogs. The same trojan version, disguised as the app’s ‘update,’ was later distributed via this very same channel,” Dr Web added.

Once installed, the trojan quietly connects to a remote command-and-control server (C2), waiting for orders and sending back sensitive data. According to Dr Web, it can collect the following:

  • Current date and geolocation
  • Downloaded files
  • Mobile phone numbers and accounts
  • Address lists
  • The device’s app version

That’s just for starters. The malware can also be instructed to download and run additional modules that help exfiltrate specific files — particularly documents shared through Telegram or WhatsApp, and locLog GPS logs created by Alpine Quest itself.

While attribution remains unconfirmed, the data collection profile points toward state-backed surveillance – possibly Ukrainian. We’ve asked Dr Web for further details.

A fake software update hides a nasty surprise

Alpine Quest is far from the only digital mess Russia’s dealing with. Over at Kaspersky, researchers have uncovered another nasty surprise – a “sophisticated” backdoor – this time hiding inside a fake software update.

The Russian infosec house found that miscreants had bundled the malware into LZH archives mimicking legitimate ViPNet update packages for Windows computers; ViPNet being a trusted secure networking suite used widely across Russia’s government, finance, and industrial sectors. Inside the archive is a rogue executable called msinfo32.exe, a name borrowed from a legitimate Windows system tool – a classic trick to dodge suspicion during initial inspection. The program decrypts and unpacks a payload within the archive.

“The msinfo32.exe file is a loader that reads the encrypted payload file. The loader processes the contents of the file to load the backdoor into memory,” Kaspersky said.

“This backdoor is versatile: It can connect to a C2 server via TCP, allowing the attacker to steal files from infected computers and launch additional malicious components, among other things.”

To be clear, this wasn’t a screw-up on ViPNet’s part – Kaspersky notes the malware was smuggled in via spoofed update archives, not any official release.

Meanwhile, the digital war continues

From the other side, Russian fiends have been targeting Ukrainian officials and their allies in an ongoing phishing campaign aimed at hijacking Microsoft 365 accounts.

Marks are contacted via Signal or WhatsApp by baddies posing as diplomats from the EU, Romania, Bulgaria, or Poland. The hook? An invitation to a video call about the ongoing war, security biz Volexity reports.

Once the victim takes the bait, with some social engineering and a little abuse of Microsoft’s OAuth 2 authentication workflow – kinda like what we saw earlier this year with device authentication codes – the snoops gain control of the victim’s M365 account. Volexity summarized the attack thus:

According to Volexity, one campaign even leveraged a compromised Ukrainian government account to lend credibility to the ruse.

“Like other OAuth phishing techniques, the one used in this campaign involved direct interaction with the victim to have them click a link and supply a code back to the attacker,” the teams says. “This code is then sought by the attacker and used to obtain illicit access to M365 resources.” ®

READ MORE HERE