Kremlin-backed Sandworm strikes Android devices with data-stealing Infamous Chisel

Five Eyes nations warn of hit against Ukrainian military systems

Russia's Sandworm crew is using an Android malware strain dubbed Infamous Chisel to remotely access Ukrainian soldiers' devices, monitor network traffic, access files, and steal sensitive information, according to a Five Eyes report published Thursday.

The Sandworm gang, which Western government agencies have previously linked to Russia's GRU military intelligence unit, was behind a series of attacks leading up to the bloody invasion of neighboring Ukraine. They've continued infecting that country and its allies' computers with data wipers, info-stealers, ransomware, and other malicious code ever since.

Ukraine's security agency spotted and blocked Sandworm's latest campaign earlier this month when the Kremlin-backed cyber goons were attempting to use Infamous Chisel to break into the army's combat data exchange system. This attempt involved ten samples of the malware, all designed to steal data, according to the Security Service of Ukraine (SBU).

"The SBU operational response prevented Russia's intelligence services from gaining access to sensitive information, including the activity of the Armed Forces, deployment of the Defense Forces, their technical provision, etc," the Ukrainian security agency said.

In other Android malware news, researchers spotted trojanized Signal and Telegram apps for the Google OS that could be used to steal user data.

The apps, called Signal Plus Messenger and FlyGram, were both created by the same developer and linked to the Chinese nation-state gang GREF, according to ESET Research

Google has since removed the fake apps from the Play store, but they are still available in the Samsung store and other third-party online app souks.

Both are built on the open source code for the official Signal and Telegram apps, but laced with the BadBazaar malware — this is the same malicious code that has been used in the past to spy on Uyghurs and other Turkic ethnic minorities.

FlyGram extracts basic hardware details, some Telegram info, and sensitive data on the device, such as contacts, call logs, and Google account details. 

Plus, if enabled, FlyGram will backup and restore Telegram data to an attacker-controlled server, granting snoops full access to these backups.

Signal Plus Messenger, while also collecting similar device data, can also spy on the user's Signal messages and extract the Signal PIN. According to ESET, this marks "the first documented case of spying on a victim's Signal communications by secretly autolinking the compromised device to the attacker's Signal device."

In today's analysis of the Russian malware, the UK National Cyber Security Centre (NCSC), the NSA, the US government's CISA, the FBI, New Zealand's National Cyber Security Centre (NCSC-NZ), the Canadian Centre for Cyber Security, and Australian Signals Directorate (ASD) confirmed Ukraine's reports of Sandworm's new mobile malware.

Though the write-ups are technical, provide indicators of compromise for those worried about picking up the malware, and dive into the software nasty's code, it's not entirely clear how it gets onto targets' phones. It appears one way is through a debugging tool. It seems to us that its Russians operators have to go to some lengths to get the spyware onto Ukrainians' phones.

Infamous Chisel is a collection of components designed to snoop on the infected device and provides persistent backdoor access via the Tor network. It does this by "configuring and executing Tor with a hidden service which forwards to a modified Dropbear binary providing a SSH connection," the report says.

After setting up shop on victims' mobile devices, the malware occasionally checks for information and files of interest to the Russian military, and scans the local network looking for active hosts and open ports.

It also steals and sends sensitive data back to the GRU, including system device information, commercial application information, and applications specific to the Ukrainian military.

"The exposure of this malicious campaign against Ukrainian military targets illustrates how Russia's illegal war in Ukraine continues to play out in cyberspace," NCSC Director of Operations Paul Chichester said in a statement.

This latest malware campaign follows a slew of other software nasties that Sandworm has used against Ukrainian victims before and during the war. This includes at least two types of disk-wiping malware, CaddyWiper and Industroyer2, plus destructive cyberattacks against an Ukrainian ISP and infrastructure agencies.

Last fall, Sandworm infected "multiple organizations in Ukraine" with RansomBoggs ransomware, and deployed Prestige ransomware against logistics and transportation networks in Poland, according to security researchers.

Ukraine and international law enforcement continue to fight back, and in April 2022 the US Justice Department revealed details of a court-authorized take-down of command-and-control infrastructure Sandworm used to communicate with network devices infected by its Cyclops Blink botnet.  

The US Rewards for Justice program has also offered a $10 million reward for GRU officers linked to the Sandworm gang. ®

More about


Send us news

Other stories you might like