Russia targets Android devices of the Ukrainian military using Infamous Chisel malware

A Russian intelligence unit is attacking Ukrainians’ Android devices using malware called Infamous Chisel. Its goal is to steal critical information. This was reported by Western intelligence agencies, according to Ars Technica.

Infamous Chisel is a set of components that provides constant access to an infected Android device via the Tor network and periodically collects and sends information about the victim from compromised devices.

“The information exfiltrated is a combination of system device information, commercial application information and applications specific to the Ukrainian military,” intelligence officials from the UK, US, Canada, Australia, and New Zealand wrote.

Ukraine’s Security Service first reported the malware in early August. At the time, Ukrainian officials said that Ukrainian servicemen “prevented Russian special services from accessing confidential information, in particular, about the activities of the Armed Forces, the deployment of defense forces, their technical support, etc.”

Infamous Chisel gains persistence by replacing a legitimate system component known as netd with a malicious version. It allows the malware to run every time the device is rebooted. In addition, it becomes the main mechanism of this software. The information collected on the device is sent to Russian servers.

Infamous Chisel uses the TLS protocol and an encrypted IP address and port to extract files of interest. The use of a local IP address is believed to be a mechanism to pass network traffic over a VPN or other secure channel that is configured on the infected device. This ensures that penetration traffic is mixed with expected encrypted network traffic.

Among other things, the software installs a version of the Dropbear SSH client, which can be used to remotely access the device.

So far, Western intelligence has not specified how exactly Infamous Chisel is installed on devices. But experts note that the software was created by the Sandworm hacker group. It was responsible for the NotPetya attacks in 2017, as well as attacks on the Ukrainian power grid.