Full Report
Cybersecurity researchers have revealed that Russian military personnel are the target of a new malicious campaign that distributes Android spyware under the guise of the Alpine Quest mapping software. "The attackers hide this trojan inside modified Alpine Quest mapping software and distribute it in various ways, including through one of the Russian Android app catalogs," Doctor Web said in an
Analysis Summary
# Threat Actor: Unspecified Actor utilizing "Android.Spy.1292.origin"
## Attribution & Identity
The threat actor is currently **unattributed** but is conducting operations specifically against Russian military personnel. They are distributing Android spyware disguised as legitimate software.
## Activity Summary
The actor is engaged in a malicious campaign targeting Russian military members involved in the Special Military Operation zone. They disguise an Android trojan as the legitimate **Alpine Quest mapping software** (specifically older, freely available versions of Alpine Quest Pro features). Distribution occurred via Russian Android app catalogs and directly through a fake Telegram channel, initially via a download link and later by distributing the trojanized APK as an "app update." The malware aims for persistence by closely mimicking the original application's functionality upon installation.
## Tactics, Techniques & Procedures
- **Masquerading:** Disguising malicious code within legitimate application installers (Alpine Quest mapping app).
- **Distribution via Novel Channels:** Utilizing niche Russian Android app catalogs and fake Telegram channels for distribution.
- **Data Staging and Exfiltration:** Collecting sensitive data and exfiltrating files of interest, particularly those residing in messaging applications.
- **Extensibility:** Ability to download and execute additional malicious modules to expand capabilities.
## Targeting
- **Sectors:** Military/Personnel related to the Russian Special Military Operation zone.
- **Geography:** Personnel using Android devices within the context of the Russian military operation.
- **Victims:** Russian military personnel.
## Tools & Infrastructure
- **Malware Families used:** Android.Spy.1292.origin (Android Spyware/Trojan).
- **Infrastructure (C2, domains, IPs):** The malware exfiltrates location data to a **Telegram bot**.
- **Distribution Vectors:** Russian Android app catalogs, direct APK distribution, fake Telegram channels.
## Implications
This campaign demonstrates targeted espionage operations against military personnel utilizing common, specialized, or widely used niche mobile applications for social engineering and compromise. The ability to exfiltrate targeted files from applications like WhatsApp and Telegram indicates an objective to gather sensitive communications and intelligence from operational personnel.
## Mitigations
- Download and install Android applications exclusively from trusted, official app marketplaces.
- Exercise extreme caution regarding "free" or paid versions of proprietary software obtained from non-official sources (e.g., file downloads via messaging apps or third-party catalogs).
- Implement strict Mobile Device Management (MDM) policies for military devices, focusing on application whitelisting.