Hackers are using Zoom’s remote control feature to infect devices with malware

Researchers at Doctor Web have uncovered a new Android spyware campaign targeting Russian military personnel using a trojanized version of the Alpine Quest mapping app. The spyware, dubbed Android.Spy.1292.origin, is embedded in a fake version of the app and distributed through unofficial Russian Android catalogs and a fake Telegram channel. Alpine Quest is a legitimate GPS and topographic mapping app popular among athletes, travelers, and military personnel for its offline capabilities and precision.

The malicious app poses as a free, cracked version of Alpine Quest Pro, a paid version without ads and analytics. Once installed, it functions like the original app to avoid detection while collecting sensitive data. Each time the app is launched, it sends the user’s phone number, contacts, geolocation, file information, and app version to a command-and-control server and a Telegram bot controlled by the attackers. The spyware can also download additional modules to steal confidential files, particularly those shared via Telegram and WhatsApp, and the locLog file from Alpine Quest, which contains location history logs.

The modular design of Android.Spy.1292.origin allows attackers to remotely update it for more targeted surveillance and expand its capabilities to execute a wider range of malicious tasks. While attribution remains uncertain, experts suggest similar tactics have been used by Ukrainian hacktivists. To mitigate the risk posed by such threats, users are advised to download Android apps only from trusted app marketplaces and avoid downloading “free” paid versions of software from dubious sources. It is also important to verify app developers, as attackers often impersonate legitimate developers with similar names and logos. Google Play Protect automatically protects Android users against known versions of this malware.