Security researchers believe that they have discovered Android-based malware that has helped the Russian military locate Ukrainian artillery positions in the ongoing Eastern European conflict. This campaign is also believed to be the work of Fancy Bear, who are also suspected of hacking the US Democratic National Congress.
The researchers first discovered the malware while investigating a suspicious Android package called Попр-Д30.apk. Initial probing into the problem revealed a connection to the Soviet made D-30 122mm towed howitzer, and is still in use today with former Soviet states like Ukraine.
It’s not that any Android phone is capable of tracking these artillery pieces, but rather the attackers were preying on an app made for the Ukrainian military. Попр-Д30 happens to be the name of a legitimate application that was developed to reduce the firing time of the D-30 from 15 minutes to a few seconds. Most of this was mainly through calculating the firing solution that was traditionally done by hand.
Needless to say, this app was in use with most artillery batteries in order to increase battlefield efficiency.
Fancy Bear’s version of the app contained a remote access toolkit known as X-Agent, and is suspected of providing the Russians with communications and location data for the infected phones. Reports indicate that Ukraine has lost some 80-percent of its D-30 howitzers over the last two years of fighting; although no direct link between the two incidents has been confirmed.
This may be the first incident of malware being directly used in a military conflict, and highlights the problem with using civilian technology in wartime environments. It is also a reminder to avoid installing third party apps on your phone without verifying the origin.