​Russian Android malware tracked Ukrainian military: Report

Attackers hid malware within a legitimate app, giving hackers access to communication and location data, says security firm CrowdStrike.

Stephen Shankland Former Principal Writer
Stephen Shankland worked at CNET from 1998 to 2024 and wrote about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise Processors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, science. Credentials
  • Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
Stephen Shankland
2 min read
Ukrainian President Petro Poroshenko

Ukrainian President Petro Poroshenko

presidential administration of Ukraine

Russian hackers likely affiliated with the country's military used malware on Android phones to track Ukrainian artillery personnel, a Thursday report from security firm CrowdStrike said.

The malware, from a group dubbed Fancy Bear, was hidden within legitimate software from a Ukrainian artillery officer and used by Ukrainian forces, CrowdStrike said in its report (PDF). It was distributed through online military forums. The app was supposed to help with artillery targeting operations, but included malware called X-Agent that could access phone communications, rough location data and contacts.

"A tool such as this has the potential ability to map out a unit's composition and hierarchy, determine their plans, and even triangulate their approximate location," the report said. "This type of strategic analysis can enable the identification of zones in which troops are operating and help prioritize assets within those zones for future targeting." The infected app was distributed from 2014 through 2016, CrowdStrike said.

Such malware would be a new example of the blurred lines between military war and cyberwar. The conflict between Russia and Ukraine over territory in eastern Ukraine and Crimea is particularly heated: Ukraine accused Russia of blocking governmental communications in 2014, and computer attacks in 2015 took down three Ukrainian power stations, according to security firm iSight. Again Ukraine laid the blame on Russia.

In the case of Fancy Bear, the software "reveals one more component of the broad spectrum approach to cyber operations taken by Russia-based actors in the war in Ukraine," CrowdStrike said. The tactical information the app provided "supports CrowdStrike's previous assessments that Fancy Bear is likely affiliated with the Russian military intelligence (GRU), and works closely with Russian military forces operating in Eastern Ukraine and its border regions in Russia," the report said.

The Ukrainian and Russian governments didn't immediately respond to a request for comment.