The Russian ‘Sandworm’ hacking group (not to be confused with the malware of the same name) has been caught repeatedly uploading fake and modified Android apps to Google’s Play store.
They were detected by Google Threat Analysis Group (TAG), making the attacks public during a presentation at the recent CyberwarCon conference.
In a blog on the topic this week, Google says the first attack connected to the group happened in South Korea in December 2017 when the group used bogus developer accounts to upload eight different apps to the Play Store.
On the face of it, the campaign was unsuccessful, garnering fewer than 10 installs per app, but it’s likely that the targets were highly selective.
That came after an attack in September 2017, when TAG detected that Sandworm hackers had uploaded a fake version of the UKR.net email app, downloaded by 1,000 users before it was stopped.
In late 2018, the group switched to inserting backdoors into the apps of legitimate developers in one of its favourite locations, Ukraine.
However, the Google Play Protect team caught the attempt at the time of upload. As a result, no users were infected, and we were able to re-secure the developer’s account.
There’s nothing unusual about this – hackers compromising developer keys to pass their own malware off as legitimate apps has been happening for years.
The significance of the Sandworm (aka Iridium) attacks is that the group is alleged to be connected to the Russian Government – one of a list of hacking entities that also includes Fancy Bear (APT28), Dragonfly, Energetic Bear, Grizzly Steppe, and many others. Sandworm is allegedly behind the NotPetya worm and the cyberattack on the 2018 Winter Olympics.
There are now so many of these that it’s hard to keep up. And it is not helped by the habit of the security industry of giving them different, proprietary names.
Google also reveals that it has detected alleged Russian disinformation campaigns in African countries such as Central African Republic, Sudan, Madagascar, and South Africa.
We terminated the associated Google accounts and 15 YouTube channels, and we continue to monitor this space.
Similar campaigns were uncovered in the Indonesian provinces Papua and West Papua “with messaging in opposition to the Free Papua Movement.”
Sandworm itself has been around since at least 2014, which makes it middle-aged by the standards of Russian hacking groups.
However, it would be a mistake to see this phenomenon as a uniquely Russian affair. Russian groups are highly active, as are ones connected to countries such as China and Iran, but the popularity of nation state-backed hacking and disinformation is spreading across the globe.
This might one day become ubiquitous. If that happens, it will not only be another bad day for the internet but could eventually rebound on its perpetrators too.