According to Lab52 researchers,
Researchers Discover New Android Spyware Linked to Turla Hackers
Once “activated,” the virus hides its gear-shaped icon on the home screen and runs in the background, exploiting the app’s broad capabilities to access the device’s contacts and call history, track its location, send and read messages, access external storage, snap photos, and record audio. The data collected is saved in JSON format and then sent to the remote server specified earlier. Despite the use of the same C2 server, Lab52 claims it doesn’t have enough evidence to link the malware to the Turla organization. The actual initial access vector used for delivering the malware and the campaign’s intended targets are also unknown at this time. However, the rogue Android software also tries to download a legitimate app called Roz Dhan (Hindi for “Daily Wealth”), which has over 10 million downloads and allows users to earn cash incentives by completing surveys and quizzes. In this regard, the researchers said, Check out? Hackers Distributing Trojanized DeFi Wallet Apps to Steal Crypto