Skip to main content

A Russian-backed malware group is spoofing pro-Ukraine apps, Google finds

A Russian-backed malware group is spoofing pro-Ukraine apps, Google finds


Details were published in a blog post from the Threat Analysis Group, which tracks state-backed cyber activity

Share this story

Illustration of a phone with yellow caution tape running over it.
Photo by Amelia Holowaty Krales / The Verge

“All warfare is based on deception,” Sun Tzu wrote in The Art of War. Some 2,500 years later, the maxim applies to the virtual battlefield as well as the physical.

As the war in Ukraine rages on, researchers from Google have discovered malware from a Russian state-backed group disguised as a pro-Ukraine app. The details were revealed in a blog post published by Google’s Threat Analysis Group (TAG), which specializes in tracking and exposing state-sponsored hacking.

According to TAG, the Cyber Azov app — which invokes Ukraine’s far-right military unit, the Azov Regiment — was actually created by Turla, a Kremlin-backed hacking group known for compromising European and American organizations with malware.

A web page screenshot shows an app labelled “Azov” in the Cyrillic alphabet, with a description asking users to “Join Cyber Azov and help stop Russian aggression against Ukraine”
Screenshot taken from the Cyber Azov website.
Image: Google Threat Analysis Group

Per TAG’s research, the app was distributed through a domain controlled by Turla and had to be manually installed from the APK application file rather than being hosted on the Google Play Store. Text on the Cyber Azov website claimed the app would launch denial-of-service attacks on Russian websites, but TAG’s analysis showed that the app was ineffective for this purpose.

Meanwhile, analysis of the APK file on VirusTotal indicates that many of the biggest anti-malware providers flag it as a malicious app containing a Trojan.

TAG’s blog post suggests that the number of users who installed the app is small. However, the Cyber Azov domain was still accessible to The Verge on Tuesday morning, meaning more Android users could be tricked into downloading an app. A Bitcoin address listed on the website to solicit donations had not made or received any transactions at time of publication, lending support to the assessment that the malicious app has not achieved a wide reach. (On the other side of the conflict, Bitcoin and other cryptocurrencies have provided one revenue stream for the Ukrainian government and military thanks to the efforts of the Ukraine-based Kuna exchange.)

Besides malicious Android apps, TAG also flagged the exploitation of the recently discovered Follina vulnerability in Microsoft Office, which allows hackers to take over computers using maliciously crafted Word documents. The vulnerability had been used by groups linked to the Russian military (GRU) to target media organizations in Ukraine, Google researchers said.

The spoof app uploaded by Turla taps into a significant trend in the cyber dimension of the Russia-Ukraine conflict, namely the participation of a large decentralized base of digital volunteers hoping to aid the Ukrainian cause. Early in the conflict, Anonymous-linked groups scored a number of victories against Russian companies by hacking and leaking sensitive data, although it is unclear what material effect this has had on the course of the war.

Throughout the invasion, Ukraine’s “IT army” has made headlines by carrying out a string of denial-of-service attacks, loosely coordinated through a government-endorsed Telegram channel — an organizational strategy that analysts have described as a groundbreaking approach to cyber and information warfare.