Spies are Using New Malware to Target Mobile Devices in Ukraine

This post is also available in: עברית (Hebrew)

Ukraine’s security agency claims that the Russian military intelligence service GRU can access compromised Android devices with a new malware called Infamous Chisel, which is associated with the threat actor Sandworm, previously attributed to the Russian GRU’s Main Centre for Special Technologies (GTsST).

Sandworm uses this new malware to target Android devices used by the Ukrainian military, enables unauthorized access to compromised devices, and is designed to scan files, monitor traffic, and steal information.

According to Cybernews, the malware periodically scans the device for information and files of interest, matching a predefined set of file extensions. It also regularly monitors the local network, collating information about active hosts, open ports, and banners.

Ukraine’s security agency SBU publicly uncovered this campaign earlier this month, reporting “The Infamous Chisel components are low to medium sophistication and appear to have been developed with little regard to defense evasion or concealment of malicious activity.”

The report mentions that the malware lacks basic obfuscation or stealth techniques to disguise activity, maybe because its creators didn’t deem it a necessary feature. Even with a lack of concealment, the malware’s components pose a serious threat due to the impact of the information they can collect.

The malware targets military applications and exfiltration of military data and intends to gain access to these networks.

Paul Chichester, NCSC Director of Operations has stated: “The exposure of this malicious campaign against Ukrainian military targets illustrates how Russia’s illegal war in Ukraine continues to play out in cyberspace.”

According to Cybernews, the malware analysis report has been jointly issued by the NCSC and corresponding agencies in the United States, Australia, Canada, and New Zealand.