They identify a new malicious program that affects Android devices. This is Process Manager, a software that is capable of stealing data, as well as recording audio and tracking location, while working in the background.
Cybersecurity company Lab52 identified this malware, which uses the same shared hosting infrastructure used by a group of Russian-born cybercriminals called Turla.
At the moment, it is unknown whether Process Manager is supported by Turla or if it has any direct connection or relationship with this campaign, also known as Snake or Uroburos.
This software, which is also of Russian origin, reaches devices through a malicious APK file that works as spyware or spyware on Android and steals data, without the user noticing it as it acts on background.
As the researchers have determined, once the application is installed, it is placed in the applications menu and displays an icon of a nut, which users can confuse with the Settings menu.
In addition, when it is first run on the device, it requires a total of 18 permissions to access the phone's location, screen lock and unlock, information from WiFi networks, or camera sensors built into the computer.
Other permissions requested by this application are access to phone calls or contact information and you can start the app when the device is turned on, send SMS, write to the memory card or read devices from external storage.
Once the application is opened for the first time, its icon is removed from the application menu and it runs in the background, as it appears in the notification bar.
In this way, in addition to stealing confidential information, it is able to take photos or videos, as well as record audio from the voice recorder that is usually pre-installed on these phones.
In this case, the application manages to extract these recordings in mp3 format into the cache directory and, together with the rest of the data, sends them in JSON format to a server located in Russia.
At the moment, it is unknown where this malware comes from, but researchers have found evidence in another application called Ro Dhan: Earn Wallet Cash, which until now was available on Google Play.
How to know if there is a spy app on the cell phone
There are different steps that can be taken to scan the mobile phone for some spy application or spyware.
1. Do an analysis with Play Protect
This tool, available on the Play Store, reviews the mobile and applications in search of any harmful behavior. In the event that any risk is found, the user receives a notification. This setting is enabled by default and scans are done in an automated way.
To check that the option is enabled and verify that it is working properly, you must enter the Play Store, from your mobile phone, tap on the profile photo that is in the upper right corner and an options menu will appear.
One of them is Play Protect. Log in there and see the report.
To ensure that the option is enabled, click on the nut icon and verify that app scanning with Play Protect is enabled.
2. Check where apps were downloaded from and what permissions they have
When you have Play Protect activated, the installed apps are automatically scanned, but it doesn't hurt to double-check manually. An interesting point is to review the permissions that the installed platforms have as well as where they were downloaded from.
To access this information, go to the settings icon (the nut symbol) on the mobile phone, then enter Applications and go into each one there to check where it says Permissions as well as in Details application in store. The latter is used to see where the app was downloaded from, which is very important, because if the download was made from an unofficial store, there are more risks that it is a malicious program.
3. Access safe mode to delete suspicious apps
When the phone is restarted in safe mode, all third-party applications are disabled and allows you to delete apps that could not otherwise be deleted. It should be noted that this will not work if the malicious software had root access to the system.
How to access safe mode
To start in safe mode, you have to press the shutdown button until that alternative appears. On some models, when pressing the shutdown button, the Shut down option appears and you have to press it again until the Safe Mode legend appears and then click on that option again.
Then you should go to Settings or Settings and there enter Applications. You will see a list of all the download apps. You have to check if you find one with a strange name or that you don't remember downloading and deleting it.
Before doing so, you should do a search to find out what is being removed from the device and avoid uninstalling any useful program that could affect its proper functioning.
In case there is any suspicion that cannot be removed, go to Settings or Settings/Lock and Security/Other Security Settings/Device Management. There you must disable access to the suspicious program.
In case none of this works, you can resort to making a copy of all the phone's information and doing a factory reset within the Settings menu.
KEEP READING: