Security Experts:

Connect with us

Hi, what are you looking for?



Russia Used Android Malware to Track Ukrainian Troops: Report

The Russia-linked cyberespionage group known as Fancy Bear has tracked Ukrainian artillery forces by planting a piece of Android malware in a legitimate military application, threat intelligence firm CrowdStrike reported on Thursday.

The Russia-linked cyberespionage group known as Fancy Bear has tracked Ukrainian artillery forces by planting a piece of Android malware in a legitimate military application, threat intelligence firm CrowdStrike reported on Thursday.

Fancy Bear is also known as APT28, Pawn Storm, Sofacy, Tsar Team, Strontium and Sednit. The group is believed to be responsible for many high-profile attacks, including recent operations aimed at the U.S. Democratic Party, government organizations in Turkey and Germany, and the World Anti-Doping Agency (WADA).

CrowdStrike believes Fancy Bear is likely tied to GRU, the foreign military intelligence agency of Russia’s Armed Forces, and the company’s recent findings reinforce this theory.

This summer, the company’s analysts came across an Android application package (APK) file named “Попр-Д30.apk.” The file contained Russian-language artifacts and its name referenced the D-30, a Russian-made 122 mm towed howitzer that first entered service in the 1960s.

The D-30 is still used by the Ukrainian military and, in 2013, artillery officer Yaroslav Sherstuk created an Android app designed to help personnel reduce the time to fire the gun from minutes to under 15 seconds. According to its developer, the application has roughly 9,000 users.

According to CrowdStrike, Fancy Bear took the legitimate Android app and bundled it with an Android variant of X-Agent, a piece of malware that has been used by the threat actor in attacks aimed at high-value targets, including the Democratic National Committee (DNC).

The malicious version of the app was distributed on Ukrainian military forums from late 2014 through 2016. Experts believe the legitimate program had been mainly distributed through social media, not via the Google Play store.

The Android variant of the X-Agent malware appears to be designed for strategic purposes as it does not cause any damage to the infected device and it does not interfere with the operation of the original app. X-Agent is capable of accessing contact information, SMS messages, call logs and Internet data.

“CrowdStrike Intelligence assesses a tool such as this has the potential ability to map out a unit’s composition and hierarchy, determine their plans, and even triangulate their approximate location. This type of strategic analysis can enable the identification of zones in which troops are operating and help prioritize assets within those zones for future targeting,” CrowdStrike wrote in its report.

“Additionally, a study provided by the International Institute of Strategic Studies determined that the weapons platform bearing the highest losses between 2013 and 2016 was the D-30 towed howitzer. It is possible that the deployment of this malware infected application may have contributed to the high-loss nature of this platform,” the report adds.

The threat intelligence firm pointed out that the purpose of the malicious D-30 app further strengthens its belief that Fancy Bear is likely affiliated with Russia’s GRU agency.

Related: Russian Cyberspies Use “Komplex” Trojan to Target OS X Systems

Related: Two APTs Used Same Zero-Day to Target Individuals in Europe

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.