Russian hackers use fake pro-Ukraine Android apps to spread malware

20 Jul 2022

Image: © prima91/Stock.adobe.com

Google’s Threat Analysis Group identified Russia-backed Android apps that claim to launch DoS attacks against Russian sites.

Google has identified a Russian state-backed malware group as the source behind Android apps that falsely claim to help users support Ukraine in the ongoing war.

The Turla CyberAzov apps, which refer to the Ukrainian far-right military regiment Azov, are distributed under the guise of performing denial-of-service (DoS) attacks on a host of Russian websites.

However, these attacks were not enough to be effective. Instead, the Turla group distributed malware to the user.

Google’s Threat Analysis Group (TAG), created to protect Google users from state-backed cyberattacks, published a report on the Turla group’s activities in a blogpost yesterday (19 July).

Billy Leonard, security engineer at TAG, said that this is the first known instance of Turla distributing Android-related malware.

“The apps were not distributed through the Google Play Store but hosted on a domain controlled by the actor and disseminated via links on third-party messaging services. We believe there was no major impact on Android users and the number of installs was minuscule,” he said.

During its investigation into the Turla CyberAzov apps, TAG identified another Android app, StopWar, that claimed to conduct DoS attacks against Russian websites.

A DoS attack is an attempt to make an online service unavailable by overwhelming it with high volumes of data. Typically, multiple compromised computer systems are used as sources of attack traffic, known as distributed denial-of-service attacks.

The StopWar app, distributed from a host website, was first seen in the wild in March 2022.

Written by a different developer, StopWar also downloads a list of attack targets from an external site. But unlike the Turla apps, TAG said it continually sends requests to the target websites until it is stopped by the user.

“Based on our analysis, we believe that the StopWar app was developed by pro-Ukrainian developers and was the inspiration for what Turla actors based their fake CyberAzov DoS app off of,” Leonard added.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Vish Gain is a journalist with Silicon Republic

editorial@siliconrepublic.com