Russia Targets Ukraine With New Android Backdoor, Intel Agencies Say (arstechnica.com) 24
An anonymous reader quotes a report from Ars Technica: Russia's military intelligence unit has been targeting Ukrainian Android devices with "Infamous Chisel," the tracking name for new malware that's designed to backdoor devices and steal critical information, Western intelligence agencies said on Thursday. "Infamous Chisel is a collection of components which enable persistent access to an infected Android device over the Tor network, and which periodically collates and exfiltrates victim information from compromised devices," intelligence officials from the UK, US, Canada, Australia, and New Zealand wrote (PDF). "The information exfiltrated is a combination of system device information, commercial application information and applications specific to the Ukrainian military."
Infamous Chisel gains persistence by replacing the legitimate system component known as netd with a malicious version. Besides allowing Infamous Chisel to run each time a device is restarted, the malicious netd is also the main engine for the malware. It uses shell scripts and commands to collate and collect device information and also searches directories for files that have a predefined set of extensions. Depending on where on the infected device a collected file is located, netd sends it to Russian servers either immediately or once a day. When exfiltrating files of interest, Infamous Chisel uses the TLS protocol and a hard-coded IP and port. Use of the local IP address is likely a mechanism to relay the network traffic over a VPN or other secure channel configured on the infected device. This would allow the exfiltration traffic to blend in with expected encrypted network traffic. In the event a connection to the local IP and port fails, the malware falls back to a hard-coded domain that's resolved using a request to dns.google.
Infamous Chisel also installs a version of the Dropbear SSH client that can be used to remotely access a device. The version installed has authentication mechanisms that have been modified from the original version to change the way users log in to an SSH session. [...] The report didn't say how the malware gets installed. In the advisory Ukraine's security service issued earlier this month (PDF), officials said that Russian personnel had "captured Ukrainian tablets on the battlefield, pursuing the aim to spread malware and abuse available access to penetrate the system." It's unclear if this was the vector.
Infamous Chisel gains persistence by replacing the legitimate system component known as netd with a malicious version. Besides allowing Infamous Chisel to run each time a device is restarted, the malicious netd is also the main engine for the malware. It uses shell scripts and commands to collate and collect device information and also searches directories for files that have a predefined set of extensions. Depending on where on the infected device a collected file is located, netd sends it to Russian servers either immediately or once a day. When exfiltrating files of interest, Infamous Chisel uses the TLS protocol and a hard-coded IP and port. Use of the local IP address is likely a mechanism to relay the network traffic over a VPN or other secure channel configured on the infected device. This would allow the exfiltration traffic to blend in with expected encrypted network traffic. In the event a connection to the local IP and port fails, the malware falls back to a hard-coded domain that's resolved using a request to dns.google.
Infamous Chisel also installs a version of the Dropbear SSH client that can be used to remotely access a device. The version installed has authentication mechanisms that have been modified from the original version to change the way users log in to an SSH session. [...] The report didn't say how the malware gets installed. In the advisory Ukraine's security service issued earlier this month (PDF), officials said that Russian personnel had "captured Ukrainian tablets on the battlefield, pursuing the aim to spread malware and abuse available access to penetrate the system." It's unclear if this was the vector.
Re: (Score:1)
I think Putin would be more likely to do so.
Re: (Score:2)
He has his Sailfish-based OS on that gigantic phablet they're showing.
But watch for Kamala going to Ukraine for fact-finding and getting the Old Ron Brown as pretext for escalation.
Re: Go Ukraine Go Biden 2024 (Score:1)
Links to pictures of pretty girls (Score:2)
It still works in 2023.
Human instincts haven't changed for centuries.
Re: (Score:1)
Re: (Score:3, Informative)
There's some nice cognitive dissonance. Ukraine is the child trafficking capital of the world.
Only if you count Russian genociders stealing them all.
In actual reality Russia and Belarus are already on the list of the worst. And Ukraine isn't. [usnews.com]
So take your Russian propaganda elsewhere trainy the tranny.
ruZZian servers (Score:2)
"sends it to ruZZian servers either immediately or once a day" - you don't need ruZZian servers in the realm of Ukraine, short them at providers.
I wonder (Score:2)
what AMD agencies would say
How does the device get compromised? (Score:2)
Re: How does the device get compromised? (Score:1)
Also I'm wondering if the ability to install strange software had to be enabled. Service providers make full use of that function, some better than others
Re: (Score:2)
Service providers make full use of that function, some better than others
It used to be the case that service providers controlled all OTAs. So yes they could install anything they want.
I don't know how true this is anymore. I don't think T-mobile knows anything about the OTAs I get on my Pixel device.
Wouldn't it be great... (Score:2)
Of course, we'd have to be bale to really trust the malware.
Re: (Score:2)
Get Magisk from topjohnwu on Github if your provider doesn't cripple the bootloader.
Then there's a whole world of bonware available.
I guess it isn't in vogue to call it a spade, but (Score:4, Informative)
Five Eyes. You can just call it Five Eyes (FVEY).
Re: (Score:2)
Five Eyes. You can just call it Five Eyes (FVEY).
To be fair, a lot of people won't know who the Five Eyes are... A lot of people won't even know who New Zealand are.