Cybersecurity researchers discovered Process Manager, a new Android malware capable of acquiring the target endpoint’s audio and also reading and sending SMS messages.
Whereas the malware appears to have some resemblance with the prominent Russian state-sponsored malware Turla, it appears that the team wasn’t behind this variation or the campaign.
Process Manager and other Turla malware are comparable in that they both are using the same shared-hosting infrastructure.
When the Process Manager malware is loaded, it has a gear-shaped icon to fool users into believing the application is a standard Android product. Following that, it attempts to get more than a few permissions, namely accessibility to the camera, the phone’s whereabouts, the ability to read and transmit SMS messages, the ability to read call records and contacts, the ability to record audio, as well as the ability to read and write external storage.
It’s unknown how it acquires these permissions – whether it attempts to deceive the target into providing them, or whether it exploits the Android Accessibility API to provide itself the permissions.
This is when the distinctions between this malicious attacker and Turla become apparent. If the malware obtains the necessary rights, it will conceal its icon and execute in the background. The victim can still see the application is running because of the persistent notification in the pulldown menu.
The purpose that the malicious attacker is attempting to accomplish via Process Manager is also inappropriate for Turla. Russian APTs are typically involved in cyber espionage. This malware downloads and installs Dhan: Earn Wallet Cash, a famous money-generating referral system mobile app available in the Google Play Store. It installs the software via the referral system in order for the hackers to collect a fee.
It’s also unknown how Process Manager is spreading, although it’s most probably spreading via identity fraud, social engineering, and phishing websites.