Introduction

Russian state-sponsored threat groups, such as Fancy Bear (APT28), Cozy Bear (APT29), Turla, and Sandworm, among others, are well-known for complex cyber-espionage operations, targeted intrusions, destructive attacks, and disinformation campaigns. Some of the capabilities of Russian threat groups, however, are not well-known and extend beyond the usual targeting of government and critical infrastructure enterprise networks.

The main three Russian intelligence services (GRU, FSB, and SVR) have also conducted less well-known and underreported intelligence gathering campaigns against Android and iPhone users delivering spyware as well as collecting credentials for specific mobile applications.

In this blog, I will be examining open source intelligence (OSINT) reports, leveraging the findings and citing investigations conducted by other threat researchers, to present my key findings and an overall assessment of these mobile threat campaigns.

Background on Mobile Threats from Russia

Multiple threat groups belonging to each of the three main Russian intelligence agencies have been observed leveraging mobile spyware or targeting the credentials of specific mobile applications over the course of the last decade.

Having dedicated mobile spyware and exploit developers or acquiring these capabilities from external third-party vendors is expensive and requires vast resources. It further shows the considerable investments, willingness, and value the Kremlin places upon offensive cyber operations against its targets.

Android Malware used by Russia

Fancy Bear’s X-Agent for Android

On 22 December 2016, CrowdStrike published a report on X-Agent, an Android malware that CrowdStrike linked to Fancy Bear, a threat group attributed to the Russian GRU Unit 26165. The researchers uncovered a fake Android APK posing as an application developed in Ukraine by an officer of the 55th Artillery Brigade to help reduce targeting time for the soviet-era D-30 122mm towed howitzer. Between 2014 and 2016, Fancy Bear reportedly distributed the Android X-Agent malware via Ukrainian military forums. Successful deployment of the Fancy Bear malware via this fake application would have facilitated reconnaissance against Ukrainian troops, such as their location and their communications. This sensitive information gleaned from infected devices could easily be useful to identify positions of Ukrainian artillery forces and target them, giving themselves a battlefield advantage.

Monokle

On 24 July 2019, Lookout shared a report on Monokle, a custom Android spyware developed by the Russian private contractor firm Special Technology Centre (STC). The very same STC has also been sanctioned by the US government for supporting the GRU with Russian interference in the 2016 US presidential election. Interestingly, Monokle was developed by STC alongside its Android antivirus solution called Defender (in Russian).

What made Monokle notable was its novel methods to exfiltrate data from the victim's device, even without root access. It made extensive use of Android accessibility services to collect information from Android apps installed on the target device and could download and use an attacker-supplied SSL/TLS certificate that enabled Adversary-in-the-Middle (AiTM) attacks. Other capabilities of Monokle include its use of keyword dictionaries to search for topics of interest on the device as well as recording the device's screen when locked allowing it to steal the user's PIN, pattern, or password.

Monokle was reportedly distributed via valid Android APKs with legitimate functionality, so users would be less suspicious of it. Lookout has observed a low number of samples of Monokle being deployed in the wild as early as March 2016 in highly targeted attacks. Targets of Monokle were likely located in the Caucasus or from the Ahrar al-Sham militant group in Syria, as well as other English-, Arabic- or Russian-speaking victims.

Figure 1: Malicious apps containing Monokle. (Source: Lookout)

Sandworm’s Android Campaigns

On 26 November 2019, Google reported they had discovered a series of Android malware campaigns tied to Sandworm, a threat group linked to the Russian GRU Unit 74455. The first detected Sandworm campaign targeted users in South Korea in December 2017. They modified up to eight legitimate Android applications with malware and uploaded them to the Google Play Store using attacker-created developer accounts. These apps, however, had fewer than 10 total installs each. The second detected Sandworm campaign targeted users in Ukraine and was earlier in September 2017. The adversary used a similar tactic to deploy a fake version of the UKR.net email app on the Google Play Store, which managed to earn around 1,000 total installs.

Figure 2: Malicious apps by Sandworm targeting South Korea. (Source: Google)

The third Sandworm campaign Google detected involved spear-phishing attacks towards Android app developers also in Ukraine and was later in November 2018. In at least one case, Sandworm managed to compromise an Android app developer from Ukraine with several published Google Play Store apps, one with over 200,000 installs. Using the hijacked developer account, Sandworm built a customer backdoor into one of the legitimate apps, signed it with one of the developer’s stolen code-signing keys, and attempted to publish it on the Google Play Store. However, the Google Play Protect team caught the attempt at the time of upload and prevented any infections.

On 31 August 2023, the UK NCSC published a report in conjunction with the US, New Zealand, Canada, and Australia on Infamous Chisel, a new mobile malware linked to Sandworm that was used to target the Android devices used by the Ukrainian military. Infamous Chisel is an advanced piece of Android malware with several persistence mechanisms, an unusual C2 communication system, and would search for mobile applications specific to the Ukrainian military. Infamous Chisel could gain remote access by using Tor and forwarding to Dropbear to open an SSH connection. Other notable capabilities of Infamous Chisel includes it being able to monitoring network traffic for collection, perform local network scanning, and use SCP file transfer for exfiltration.

Turla turns to Android

On 19 July 2022, Google discovered Turla, a threat group attributed to the Russian FSB Center 16, hosting the malicious "CyberAzov" Android APKs on a domain spoofing the Ukrainian Azov Regiment. The app posed as a Denial of Service (DoS) attack tool to use against Russian websites that mimicked another app called “StopWar” that was likely created by pro-Ukrainian hacktivists. However, it only performed single GET request to the target website, which is nowhere near enough to be effective. Notably, Turla’s CyberAzov app was not distributed using the Google Play Store, but was hosted on a domain controlled by the adversary and disseminated via links on third party messaging services (like Telegram). Google found, however, that the number of installs was likely miniscule.

Figure 3: Turla’s CyberAzov app. (Source: Google)

This was also the first public disclosure involving Turla, an FSB threat group that has been active for around two decades, utilizing Android malware. In this campaign, the Turla operators aimed to exploit one of the early trends at the start of the Russia-Ukraine war, which was volunteers hoping to aid Ukraine by launching cyberattacks against Russian organizations. By targeting the Ukrainian cyber volunteers, Turla could have potentially gained access to these communities that were organizing such attacks and gain advanced intelligence on which Russian organizations were going to be targeted next.

UAC-0210 targets the Ukrainian military

On 4 September 2024, the Computer Emergency Response Team of Ukraine (CERT-UA) disclosed that a threat group it tracks as UAC-0210 launched a campaign against the Armed Forces of Ukraine to steal application credentials and transmit GPS coordinates to target the locations of Ukrainian soldiers with kinetic weapons. UAC-0210 used Signal, an end-to-end encrypted (E2EE) messaging app, to send messages containing malicious links. Signal is widely used in Ukraine by its military and government as a secure alternative to Telegram or WhatsApp. The malicious links were used to distribute malicious Android APK files posing as platforms used by the Armed Forces of Ukraine called “GRISELDA” and “Eyes”. 

Figure 4: Fake GRISEDLA application sent by UAC-0210. (Source: CERT-UA)

Figure 5: Fake Eyes app sent by UAC-0210. (Source: CERT-UA)

For GRISELDA, the UAC-0210 operators registered a new domain and hosted a cloned version of the legitimate GRISELDA website to distribute a malicious APK file. Notably, the malicious APK contained Hydra, an Android malware developed by cybercriminals and sold on underground forums that can steal session data (HTTP Cookies), contacts, and log keystrokes. For Eyes, the UAC-0210 operators delivered the app via Google Drive links. The malicious APK was a modified the legitimate Eyes program with an additional Java class that exfiltrates data to a Cloudflare workers[.]dev attacker-controlled domain.

Summary Timeline

Figure 6: Summary Timeline of Russian Android Malware Case Studies

iOS Malware used by Russia

Fancy Bear's X-Agent for iOS

On 4 February 2015, Trend Micro disclosed additional details about a long-running cyber-espionage campaign they tracked as Operation Pawn Storm, which is tied to Fancy Bear. Operation Pawn Storm targeted a wide range of entities, such as militaries, governments, defense contractors, and media organisations. During their tracking, Trend Micro detected two versions of Fancy Bear's mobile spyware for iOS 7 systems. The iOS version of X-Agent could steal personal data such as text messages, contact lists, pictures, geo-location data, a list of installed apps, WiFi connectivity data, record audio, take screenshots, and exfiltrate them to an attacker-controlled server using file transfer protocol (FTP).

Another variant of X-Agent for iOS was also uncovered by Trend Micro and dubbed MadCap, which was similar but focused on recording audio. There was, however, one significant caveat to this mobile malware. In order for the X-Agent to work, the target iOS device needed to be jailbroken. Trend Micro admitted that the exact way how Fancy Bear intended to install the mobile malware on iOS devices was not found, but they suspected it was very likely via social engineering rather than a zero-day exploit. Alternatively, it was potentially still possible to install the malicious app onto non-jailbroken devices, if it was signed with a stolen Apple developer code-signing certificate or if the attacker had the target iPhone and could physically connect it to another device via a cable.

Cozy Bear’s zero-day iOS exploits sent via LinkedIn

On 14 July 2021, Google uncovered that Cozy Bear, a threat group associated with the Russian SVR, had sent malicious links via LinkedIn direct messages to exploit the iPhones of government officials from Western European countries. If the target visited the link from an iOS device and certain conditions were met, a zero-day vulnerability was exploited in Apple WebKit, which is now tracked as CVE-​2021-1879. The zero-day exploit could turn off protections in Safari that allowed a payload containing a stealer to grab authentication cookies from several target websites, including Google, Microsoft, LinkedIn, Facebook, and Yahoo. It then sends the cookies via WebSocket to an attacker-controlled IP which could then be used for a session replay attack by Cozy Bear operators to access the victim’s accounts.

Pegasus iOS spyware targeting Russian and Belarusian dissidents

On 30 May 2024, a joint investigation between Access Now and Citizen Lab was published on how seven Russian- and Belarusian-speaking independent journalists and opposition activists based in Europe were targeted and/or infected with NSO Group’s Pegasus spyware. The campaigns reportedly took place between August 2020 and January 2023 with at least five of the cases potentially being the result of targeting by a single NSO Group customer. One of the victims was Galina Timchenko, an exiled Russian journalist and CEO of Meduza. Many of the targets publicly criticized the Russian government, including Russia’s invasion of Ukraine, and have already faced intense threats from Russian and/or Belarusian state security services.

Cozy Bear’s iOS and Android watering hole

On 29 August 2024, Google shared that they uncovered a watering hole attack on cabinet[.]gov[.]mn and mfa[.]gov[.]mn. These are Mongolian government websites, which were compromised to load a hidden iframe from the attacker-controlled website to deliver known (n-day) exploits. In November 2023 and February 2024, the watering hole sites delivered an iOS WebKit exploit for the previously disclosed flaw tracked as CVE-2023-41993. If a system was exploited successfully, the iOS payload was the same cookie stealer payload that Google observed in 2021 used by Cozy Bear. The cookie stealer continued to target session cookies from accounts such as Outlook Web App, Gmail, LinkedIn, Yahoo, Facebook, but also GitHub and iCloud.

In July 2024, mfa[.]gov[.]mn was compromised again and was now infected with JavaScript that redirected Android devices running the Google Chrome browser to an iframe that delivered an exploit chain targeting CVE-2024-5274 and CVE-2024-4671 to deploy a Chrome infostealing payload. The Android payload was also a cookie stealer that collected cookies from all available sites, autofill data (such as password or credit cards), as well as web browsing history.

Google assessed with moderate confidence the campaigns are linked to the Russian government-backed actor Cozy Bear. These campaigns delivered known exploits with patches already available, but would still be effective against unpatched devices.

Summary Timeline

Figure 7: Summary Timelines of Russian iOS Malware Case Studies

Russian Mobile Network Attacks

Hidden Bear

On 9 February 2022, ENEA published a report on HiddenArt, a telecommunications signalling threat group that ENEA assesses to have ties to Russian government. Art is the Old Irish/Gaelic word for Bear. Active since at least 2018, HiddenArt has been observed performing periodic network reconnaissance against mobile networks globally and exploiting Signalling System 7 (SS7) weaknesses, the protocol suite used to route phone calls, to both track the location of mobile devices and intercept voice calls and SMS messages.

The adversary managed to stay hidden for years due to a technique they used to make their source SS7 addresses spoof legitimate mobile network nodes located in Africa. These nodes belonging to mobile operators in Africa were observed targeting specific devices belonging to Russian political dissidents as well as undisclosed VIPs with ties to the economic and political spheres. ENEA worked with the affected group of mobile operators in Africa to install firewalls and detected that the abnormal SS7 commands spoofing their nodes were in fact originating from Russia.

Figure 8: HiddenArt SS7 Attack Technqiue. (Source: ENEA)

Kyivstar Wiper Attack

On 12 December 2023, Kyivstar, Ukraine’s largest mobile operator, announced on Facebook that it had suffered a destructive cyberattack. The attack reportedly left 24 million Kyivstar subscribers in Ukraine and abroad without voice and data connectivity on mobile and fixed line networks for two days. PrivatBank, Ukraine’s largest bank, was also impacted by the KyivStar attack, it stated on Facebook that its Point-of-Sale (PoS) systems, ATMs, and other PrivatBank self-service terminals had lost connection.

The attack was attributed to the GRU-linked threat group Sandworm by Ukraine’s security service (SBU). Sandworm reportedly attempted to infiltrate Kyivstar’s network in March 2023 or earlier, and managed to gain access at least as early as May 2023, and likely gained full control of the network by November 2023 before wiping the network in December 2023. The SBU officials noted that the level of access Sandworm managed to gain may have enabled the theft of personal information, understand the locations of phones, or intercept SMS messages. After that, the Sandworm operators wiped “almost everything,” including thousands of virtual servers and workstations, according to the SBU.

It was not until 20 December 2023 that Kyivstar had managed to restore all of its services in Ukraine.  The attack is said to have costed its parent company, Netherlands-based Veon, almost 100 million USD. According to the SBU, the destructive hack did not impact the communication systems of the Ukrainian armed forces, which reportedly do not rely on KyivStar. The incident was, however, “one of the highest-impact disruptive cyberattacks” on the country since the start of the war, Ukrainian officials said.

Key Takeaways

Based on the case studies outlined above, several assessments about Russia’s campaigns against mobile users can be made. Due to the development of custom mobile-malware and exploits for Android and iOS, it appears there may be dedicated mobile-focused experts within the GRU, FSB, and SVR.

From the OSINT case studies of publicly disclosed Russian mobile malware campaigns, it appears the GRU are the biggest users, followed by the SVR. Because the first mobile malware linked to Turla was only disclosed in 2022, it appears the FSB is either highly advanced at stealthily deploying spyware or is less likely to use mobile attacks. Due to sophisticated mobile malware often being highly targeted, researchers (like myself) that have to rely on OSINT, are often missing the bigger picture and insights that intelligence agencies or technology companies like Apple and Google have. This is just my assessment based on available evidence.

The first notable observation following the research was that the Russian GRU’s mobile campaigns are highly focused on Ukraine and are used foremost to gain an advantage on the battlefield. The was evident with Fancy Bear’s campaign against Ukrainian artillery units and a new GRU Android malware appeared following Russia’s invasion of Ukraine in February 2022. It is also interesting that the emergence of Infamous Chisel in 2023 overlapped with Sandworm gaining access to the Kyivstar mobile operator’s network also in 2023.

Interestingly, in the case of UAC-0210 shared by CERT-UA, the adversary borrowed code from Hydra, a malware developed by cybercriminals, for cyber-espionage purposes. While this attack could well have been conducted by a financially motivated criminal looking to make money selling access to sensitive military data, the behaviour of borrowing code from cybercriminals is a well-known tactic used by Sandworm’s operators, who were observed last year by Google using Rhadamanthys, an infostealer malware also sold by cybercriminals, to target energy sector organisations in Eastern Europe.

Lookout’s discovery of STC’s Monokle malware further highlights the Kremlin’s use of Russian private contractors for offensive cyber operations. This aligns with other types of more exotic capabilities that the Kremlin outsources the development of capabilities to, such as the creation of industrial control system (ICS) malware by NTC Vulkan for the GRU or specific network protocol targeting tools by SyTech for the FSB.

The targeting of Russian and Belarusian dissidents by Pegasus spyware was also interesting, as it highlights the proliferation of such spying capabilities from commercial surveillance vendors. The likelihood of NSO Group selling directly to the Russian government, with full knowledge, however, is low due to their numerous past statements and Israel’s strained relationship with Russia. The Russian intelligence services distrust NSO Group, for being an Israeli mercenary spyware company, that could offer knowledge of Russia’s spying operations to the Israeli government and their allies. Some researchers have speculated that an unknown third country could have carried out the attack on Russia's behest to obscure attribution.

Conclusion

Overall, organisations repeatedly targeted by Russia, such as those in Ukraine or countries that share a border with Ukraine or Russia, need to be aware of these less common but significant mobile threats. Individual government officials, diplomats, dissidents, and executives must take necessary precautions to mitigate the risk of such attacks.

Recommended Best Practices