New Russian Android malware targets Ukraine’s military devices: Report

Russia’s Sandworm attack group has created a new toolkit for compromising Android devices, says a report released today by the Five Eyes intelligence co-operative consisting of the intelligence agencies of the U.S., Canada, the U.K., Australia and New Zealand, first using it to target Android devices used by the Ukrainian military.

The malware, which the government researchers dub ‘Infamous Chisel,’ searches for specific files and directory paths that relate to military applications.

The malware provides a network access backdoor via a Tor service and secure shell (SSH). It performs periodic scanning of files and network information of the compromised device for exfiltration. Other capabilities include network monitoring, traffic collection, SSH access, network scanning, and SCP file transfer.

Sandworm — also called Voodoo Bear, Electrum by some researchers — has been linked to the Russian military intelligence’s Main Centre for Special Technologies (GTsST). That organisation has been accused by the U.S. of being behind the 2015 and 2016 attacks against Ukrainian electric providers, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019. According to Mitre, some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.

Creation of the Infamous Chisel toolkit is the latest move in the cyber war between Russia and Ukraine, part of the larger physical war between the two countries.

According to the Five Eyes report, components within Infamous Chisel are “of low to medium sophistication and appear to have been developed with little regard to defense evasion or concealment of malicious activity.”

“Although the components lack basic obfuscation or stealth techniques to disguise activity, the actor may have deemed this not necessary,” the report adds, “since many Android devices do not have a host-based detection system.”

Two interesting techniques are present in Infamous Chisel, the report says:

  • the replacement of the legitimate Android netd executable to maintain persistence.
  • the modification of the authentication function in the components that include an SSH client dubbed dropbear.

These techniques require a good level of C++ knowledge to make the alterations and an awareness of Linux authentication and boot mechanisms, the report says.

“Even with the lack of concealment functions, these components present a serious threat because of the impact of the information they can collect,” the report adds.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now