ProcessManager is the name of a new malware that is capable of stealing data, as well as record audio and track location, while working in the background on Android OS devices.
Threat intelligence firm Lab52 has identified this malicious agent, which uses the same infrastructure shared hosting used by a group of cyber criminals of Russian origin called Turla.
At the moment, it is unknown if ProcessManager is endorsed by Turla or if you have any direct connection or relationship with this campaign, also known as Snake or Uroburos.
This software, which is also of Russian origin, reaches devices through a malicious APK file that works as ‘spyware’ on Android and steal data in the backgroundwithout the knowledge of the users.
As the researchers have determined, once the application is installed, it is placed in the application menu and displays a gear icon, which users they can get confused with the Settings menu.
Also, when it is run for the first time on the device, it requires a total of 18 permissions to access phone location, lock and unlock of screen, to the information of the WiFi networks or to the sensors of the camera incorporated in the terminal.
READ ALSO: LAPSUS$ remains active and data theft from the software company Globant is attributed
Other permissions requested by this application are access to phone calls or contact information and can start the application when the device is onsend SMS, write to memory card or read external storage devices.
Once the application has been opened for the first time, its icon is removed from the applications menu and it runs in the background, since it appears in the notification bar.
In this way, in addition to stealing confidential information, it is capable of taking photos or videos, as well as record audio from voice recorder which usually comes pre-installed on these mobiles.
READ ALSO: Microsoft confirms that LAPSUS$ accessed one of its accounts and stole source code from Bing, Bing Maps and Cortana
In this case, the application manages to extract these recordings in mp3 format in the cache directory and, together with the rest of the data, sends them in JSON format to a server located in Russia.
At the moment, it is unknown where this malware comes from, but researchers have found clues in another application called Ro Dhan: Earn Wallet Cash, which until now was available on Google Play.
Source: Elcomercio
