Fake Alpine Quest Mapping App Spotted Spying On Russian Military

Fake Alpine Quest app laced pinch spyware was utilized to target Russian subject Android devices, stealing location data, contacts, and delicate files.

A malicious type of Alpine Quest, a celebrated Android navigation app, has been recovered carrying spyware aimed astatine Russian subject personnel. Security researchers astatine Doctor Web uncovered nan modified package embedded pinch Android.Spy.1292.origin spyware tin of harvesting information and extending its functionality done distant commands.

Alpine Quest is commonly utilized by outdoor enthusiasts, but it’s besides relied connected by soldiers successful Russia’s subject zones owed to its offline mapping features. That made it a convenient screen for attackers, who repackaged an older type of nan app and pushed it arsenic a free download done a clone Telegram channel. The nexus led to an app shop targeting Russian users, wherever nan infected package was listed arsenic a pro type of nan app.

Once installed, nan spyware collects each sorts of information. Each clip nan app is opened, it sends nan user’s telephone number, relationship details, contacts, geolocation, and a database of files stored connected nan instrumentality to a distant server. Some of this information is besides sent to a Telegram bot controlled by nan attackers, including updated location specifications each clip nan personification moves.

Left: Telegram transmission promoting nan malicious Alpine Quest app (in Russian via Dr. Web) – Right: English translator of nan image utilizing Yandex AI, via Hackread.com.

Doctor Web’s analysis shows that this spyware is tin of much than passive tracking. After identifying which files are available, nan malware tin beryllium instructed to download caller modules designed to extract circumstantial content. Based connected its behaviour, nan attackers look particularly willing successful documents shared done messaging apps for illustration Telegram and WhatsApp. It besides seeks retired a record called locLog, created by Alpine Quest itself, which logs personification movements successful detail.

Because nan spyware is bundled pinch a moving type of nan app, it looks and functions normally, giving it clip to run unnoticed. Its modular creation besides intends its capabilities tin turn complete time, depending connected nan attackers’ goals.

Doctor Web advises users to debar downloading apps from unofficial sources, moreover erstwhile they look to connection free entree to paid features. Even connected charismatic app stores, it’s champion to debar installing apps you don’t genuinely need. Malicious apps person been known to gaffe past reappraisal processes connected some Google Play and nan App Store.

At nan clip of writing, nan group down nan run has not been identified, and it remains unclear whether this cognition is home aliases overseas successful origin. However, akin operations successful nan past person been linked to Ukrainian hacktivist groups, including Cyber Resistance, besides known arsenic nan Ukrainian Cyber Alliance. In 2023, they reportedly targeted spouses of Russian subject personnel, extracting delicate and individual data. However, location is still nary confirmed attribution for nan group down this spyware campaign.