Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Russia Used Android Malware to Track Ukrainian Troops: Report

The Russia-linked cyberespionage group known as Fancy Bear has tracked Ukrainian artillery forces by planting a piece of Android malware in a legitimate military application, threat intelligence firm CrowdStrike reported on Thursday.

The Russia-linked cyberespionage group known as Fancy Bear has tracked Ukrainian artillery forces by planting a piece of Android malware in a legitimate military application, threat intelligence firm CrowdStrike reported on Thursday.

Fancy Bear is also known as APT28, Pawn Storm, Sofacy, Tsar Team, Strontium and Sednit. The group is believed to be responsible for many high-profile attacks, including recent operations aimed at the U.S. Democratic Party, government organizations in Turkey and Germany, and the World Anti-Doping Agency (WADA).

CrowdStrike believes Fancy Bear is likely tied to GRU, the foreign military intelligence agency of Russia’s Armed Forces, and the company’s recent findings reinforce this theory.

This summer, the company’s analysts came across an Android application package (APK) file named “Попр-Д30.apk.” The file contained Russian-language artifacts and its name referenced the D-30, a Russian-made 122 mm towed howitzer that first entered service in the 1960s.

The D-30 is still used by the Ukrainian military and, in 2013, artillery officer Yaroslav Sherstuk created an Android app designed to help personnel reduce the time to fire the gun from minutes to under 15 seconds. According to its developer, the application has roughly 9,000 users.

According to CrowdStrike, Fancy Bear took the legitimate Android app and bundled it with an Android variant of X-Agent, a piece of malware that has been used by the threat actor in attacks aimed at high-value targets, including the Democratic National Committee (DNC).

The malicious version of the app was distributed on Ukrainian military forums from late 2014 through 2016. Experts believe the legitimate program had been mainly distributed through social media, not via the Google Play store.

Advertisement. Scroll to continue reading.

The Android variant of the X-Agent malware appears to be designed for strategic purposes as it does not cause any damage to the infected device and it does not interfere with the operation of the original app. X-Agent is capable of accessing contact information, SMS messages, call logs and Internet data.

“CrowdStrike Intelligence assesses a tool such as this has the potential ability to map out a unit’s composition and hierarchy, determine their plans, and even triangulate their approximate location. This type of strategic analysis can enable the identification of zones in which troops are operating and help prioritize assets within those zones for future targeting,” CrowdStrike wrote in its report.

“Additionally, a study provided by the International Institute of Strategic Studies determined that the weapons platform bearing the highest losses between 2013 and 2016 was the D-30 towed howitzer. It is possible that the deployment of this malware infected application may have contributed to the high-loss nature of this platform,” the report adds.

The threat intelligence firm pointed out that the purpose of the malicious D-30 app further strengthens its belief that Fancy Bear is likely affiliated with Russia’s GRU agency.

Related: Russian Cyberspies Use “Komplex” Trojan to Target OS X Systems

Related: Two APTs Used Same Zero-Day to Target Individuals in Europe

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.