Android software is everywhere these days, even finding use on modern battlefields. And just like the apps on your smartphone, downloading potentially compromised .APKs from unofficial sources can lead to unforeseen consequences.
A new report from American cybersecurity technology company CrowdStrike found that a hacker group known as Fancy Bear embedded a malware implant known as X-Agent into an Android app used by the Ukranian military. The group is thought to have ties to Russian authorities who supported rebel forces in Ukraine, and had previously been linked to the DNC email leaks in another report published by CrowdStrike.
From the CrowdStrike blog:
Late in the summer of 2016, CrowdStrike Intelligence analysts began investigating a curious Android Package (APK) named 'Попр-Д30.apk' (MD5: 6f7523d3019fa190499f327211e01fcb) which contained a number of Russian language artifacts that were military in nature. Initial research identified that the filename suggested a relationship to the D-30 122mm towed howitzer, an artillery weapon first manufactured in the Soviet Union in the 1960s but still in use today. In-depth reverse engineering revealed the APK contained an Android variant of X-Agent, the command and control protocol was closely linked to observed Windows variants of X-Agent, and utilized a cryptographic algorithm called RC4 with a very similar 50 byte base key.The filename 'Попр-Д30.apk' was linked to a legitimate application which was initially developed domestically within Ukraine by an officer of the 55th Artillery Brigade named Yaroslav Sherstuk. In media interviews Mr. Sherstuk claims that the application, which had some 9000 users, reduced the time to fire the D-30 from minutes to seconds. No evidence of the application has been observed on the Android app store, making it unlikely that the app was distributed via that platform.
The report goes on to say that if the X-Agent malware was successfully deployed within the application, it would have allowed for accurate reconnaissance for rebel troops on the location of Ukrainian artillery positions. CrowdStrike found through open source reporting that "Ukrainian artillery forces have lost over 50% of their weapons in the 2 years of conflict and over 80% of D-30 howitzers, the highest percentage of loss of any other artillery pieces in Ukraine's arsenal." You can read the full report from CrowdStrike here.
This case is obviously a fairly extreme example of the damage hacked apps can do, but let this serve as a stern reminder to all of us about just how easy it can be to download malicious Android apps from the internet.
