Android Spyware Trojan Targets Russian Military Personnel Using Alpine Quest Mapping Software

By /

Listen to this Post

Featured Image
The Android application “Alpine Quest Mapping”, a topographical tool widely used by Russian military forces, has been compromised by a malicious campaign. Attackers embedded the Android.Spy.1292.origin malware into an older version of the app and distributed it via a fake Telegram channel, disguising it as a free “Alpine Quest Pro” version.

The malware, undetectable due to its integration into a seemingly legitimate copy, exfiltrates sensitive data, including:
– Mobile phone numbers and associated accounts
– Contacts from the address book
– Current date and geolocation
– Device-stored file information
– Application version details

The stolen data is sent to a command-and-control (C2) server and a Telegram bot controlled by the attackers.

You Should Know: Detecting and Preventing Such Attacks

1. Verify App Authenticity

Always download apps from official stores (Google Play, Apple App Store). Check developer details and reviews.

Command to check app signatures (Android):

adb shell pm list packages -f | grep "alpine.quest"
adb shell dumpsys package <package_name> | grep "signatures"

2. Monitor Network Traffic

Use Wireshark or tcpdump to detect suspicious connections:

tcpdump -i any -s 0 -w traffic.pcap

Analyze with:

tshark -r traffic.pcap -Y "http or dns"

3. Check for Malicious APKs

Use APKTool to decompile and inspect:

apktool d malicious_app.apk -o output_dir

Search for suspicious URLs or permissions:

grep -r "http://" output_dir/

4. Detect Spyware with Mobile Security Tools

  • MobSF (Mobile Security Framework) – Automated APK analysis: 
    docker run -it --name mobsf -p 8000:8000 opensecurity/mobile-security-framework-mobsf
  • YARA Rules for Android Malware Detection – Scan for known patterns.

5. Revoke Unnecessary Permissions

Check app permissions via ADB:

adb shell dumpsys package <package_name> | grep "permission"

6. Use Sandboxing for Suspicious Apps

Isolate risky apps using Shelter (FOSS) or Insular.

What Undercode Say

This attack highlights the risks of third-party app stores and social engineering via Telegram. Military personnel and high-risk users must:
– Disable unknown sources in Android settings.
– Use F-Droid for open-source alternatives.
– Regularly audit installed apps: 

adb shell pm list packages -u

– Implement device encryption and remote wipe capabilities.

For further reading:

Expected Output:

A detailed analysis of the malware’s behavior, detection methods, and preventive measures for cybersecurity professionals.

(Note: Telegram/WhatsApp URLs and unrelated comments were removed.)

References:

Reported By: Piveteau Pierre – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: