Ethical Hacking News
Alpine Quest Android App Hijacked by Spyware to Spy on Russian Soldiers
Russian hackers compromised the Alpine Quest Android app with spyware, targeting Russian soldiers. The malicious variant, Android.Spy.1292.origin, was distributed through a fake Telegram channel and connected to a remote command-and-control server. The malware exfiltrated sensitive data such as geolocation, downloaded files, and GPS logs from the app. Russian hackers also targeted Ukrainian officials and their allies in an ongoing phishing campaign aimed at hijacking Microsoft 365 accounts.
In a disturbing turn of events, researchers have uncovered a malicious variant of the popular Alpine Quest Android app that has been compromised by spyware to target and monitor Russian soldiers. The tampered version of the app, dubbed Android.Spy.1292.origin, was found embedded in an older version of the app's legitimate sister program, Alpine Quest Pro.
According to Dr. Web, a Russian cybersecurity outfit, threat actors created a fake Telegram channel posing as the developer of the app and distributed the malicious variant under the guise of a free update. The infected app silently connects to a remote command-and-control server (C2) waiting for orders and sending back sensitive data such as current date and geolocation, downloaded files, mobile phone numbers and accounts, address lists, and even GPS logs created by the Alpine Quest itself.
The malware's capabilities are alarming, allowing it to download and run additional modules that help exfiltrate specific files, particularly documents shared through Telegram or WhatsApp, and locLog GPS logs. While attribution remains unconfirmed, the data collection profile points toward state-backed surveillance – possibly Ukrainian.
This is not an isolated incident; meanwhile, Russian hackers have been targeting Ukrainian officials and their allies in an ongoing phishing campaign aimed at hijacking Microsoft 365 accounts. The attackers pose as diplomats from EU countries such as Romania, Bulgaria, or Poland and contact victims via Signal or WhatsApp with invitations to a video call about the ongoing war.
The attack starts with social engineering tactics – the victim is invited to join a video call – followed by an OAuth phishing URL that requests the Microsoft-generated OAuth code be returned. The attacker then uses this code to generate an access token, ultimately gaining illicit access to M365 resources.
One campaign even leveraged a compromised Ukrainian government account to lend credibility to the ruse, underscoring the level of sophistication and cunning involved in these attacks.
These incidents highlight the escalating threat landscape as state actors increasingly resort to cyber warfare tactics. As cybersecurity experts continue to sound the alarm about the growing threats facing organizations worldwide, it is essential to recognize the importance of vigilance and proactive measures in protecting sensitive data and systems.
Related Information:
https://www.ethicalhackingnews.com/articles/Alpine-Quest-Android-App-Hijacked-by-Spyware-to-Spy-on-Russian-Soldiers-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/04/24/hacked_alpine_quest_android_app/
https://www.theregister.com/2025/04/24/hacked_alpine_quest_android_app/
https://www.bleepingcomputer.com/news/security/russian-army-targeted-by-new-android-malware-hidden-in-mapping-app/
Published: Thu Apr 24 02:50:06 2025 by llama3.2 3B Q4_K_M
