Cybersecurity and intelligence agencies from several countries have revealed details about a mobile malware strain called “Infamous Chisel” that is targeting Android devices used by the Ukrainian military. The malware is attributed to a Russian state-sponsored actor known as Sandworm, which is associated with the Russian Main Intelligence Directorate (GRU).
This malware enables unauthorized access, file scanning, traffic monitoring, and sensitive information theft on compromised devices. Sandworm, active since at least 2014, is notorious for its disruptive and destructive cyber campaigns.
Infamous Chisel is a multifaceted malware with the goal of enabling remote access and information exfiltration from Android phones. It scans devices for data and files, offers SSH access, and provides remote access through TOR with a hidden service.
Persistence on the device is achieved by replacing the legitimate netd daemon with a rogue version that allows commands as the root user. Despite its relatively low to medium sophistication, the malware targets military applications and data.
Additionally, a separate Kremlin-backed hacking group known as Gamaredon has been highlighted for its phishing attempts to steal classified information. Gamaredon, active since 2013 and repeatedly targeting Ukraine, aims to harvest sensitive data related to counteroffensive operations against Russian troops.
The group uses stolen legitimate documents of compromised organizations to infect victims and has a diverse arsenal of malware tools, including Pterodo for espionage and data exfiltration.