New Android Spyware Targets Russian Soldiers via Mapping Software

TL;DR

A new Android spyware, disguised as a mapping app, has been discovered targeting Russian soldiers. This malware, known as Android.Spy.1292.origin, steals sensitive data and tracks user locations, posing a significant security threat.

New Android Spyware Discovered in Fake Mapping App

A new Android spyware has been uncovered, specifically targeting Russian military personnel. This malicious software, identified as Android.Spy.1292.origin, was found hidden within a trojanized version of the Alpine Quest app, which is popular among athletes, travelers, and Russian soldiers for war zone planning.

Discovery and Distribution

Researchers at Doctor Web discovered that the spyware was distributed through Russian Android catalogs. The malware is designed to steal contacts, geolocation data, and file information. It can also download additional modules to exfiltrate stored data when commanded by its operators¹.

“Alpine Quest is topographic software that allows different maps to be used both in online and offline mode. It is widely used by Russian military personnel in the Special Military Operation zone—and this is what the malware campaign organizers decided to exploit.” reads the report published by Doctor Web².

Malware Functionality

The threat actors embedded Android.Spy.1292.origin into an older version of the Alpine Quest app and distributed it under the guise of a freely available version of Alpine Quest Pro. This trojanized app functions like the genuine version to avoid detection but silently gathers and transmits data such as the user’s phone number, accounts, contact list, current date, geolocation, stored file details, and app version to a command-and-control server².

Telegram Channel Involvement

The malware was distributed through a fake Telegram channel, where a link to download the trojanized app from a Russian app catalog was shared. The same channel was later used to push a malicious “update” to ensure continued data theft².

Data Exfiltration and Modular Design

Once the trojan gathers file information, attackers can instruct it to download and run extra modules to steal specific data. The malware is particularly interested in confidential documents shared through Telegram and WhatsApp, as well as the locLog file generated by Alpine Quest. This enables Android.Spy.1292.origin to track user locations and exfiltrate sensitive files, with its modular design allowing for expanded malicious activities².

“As a result, Android.Spy.1292.origin not only allows user locations to be monitored but also confidential files to be hijacked. In addition, its functionality can be expanded via the download of new modules, which allows it to then execute a wider spectrum of malicious tasks.” concludes the report².

Recommendations for Users

To protect against such threats, researchers recommend downloading Android apps only from trusted sources like official app stores. Avoiding Telegram channels and shady sites, especially those offering free versions of paid apps, is crucial. Users should also verify app distributors, as attackers often impersonate legitimate developers with similar names and logos².

Conclusion

The discovery of Android.Spy.1292.origin highlights the ongoing threat of sophisticated malware targeting specific user groups. Vigilance and adherence to best practices in app downloads are essential to mitigate such risks.

Additional Resources

For further insights, check:

• Doctor Web Report
• Security Affairs

References

1. Doctor Web (2025). “Android spyware hidden in mapping software targets Russian soldiers”. Security Affairs. Retrieved 2025-04-24. ↩︎

2. Doctor Web (2025). “News”. Doctor Web. Retrieved 2025-04-24. ↩︎ ↩︎² ↩︎³ ↩︎⁴ ↩︎⁵ ↩︎⁶