April 21, 2025

Doctor Web’s experts have discovered Android.Spy.1292.origin, spyware whose main target is Russian military personnel. The attackers hide this trojan inside modified Alpine Quest mapping software and distribute it in various ways, including through one of the Russian Android app catalogs. Among other things, the malware sends the attackers phonebook contact information and the infected device’s geolocation. Moreover, this spyware collects data about the files stored on the devices and, when commanded by threat actors, can download additional modules possessing the functionality needed to steal the files.

Alpine Quest is topographic software that allows different maps to be used both in online and offline mode. It is popular among athletes, travelers, and hunters but also widely used by Russian military personnel in the Special Military Operation zone—and this is what the malware campaign organizers decided to exploit. Threat actors embedded Android.Spy.1292.origin into one of the older Alpine Quest app versions and distributed the trojanized variant under the guise of a freely available version of Alpine Quest Pro, a program with advanced functionality. They created a fake Telegram channel for the software; the channel provided a link for downloading the app in one of the Russian app catalogs. The same trojan version, disguised as the app’s “update”, was later distributed via this very same channel.

The Telegram channel through which threat actors distributed the Android.Spy.1292.origin trojan

Because Android.Spy.1292.origin is embedded into a copy of the genuine app, it looks and operates as the original, which allows it to stay undetected and execute malicious tasks for longer periods of time.

Each time it is launched, the trojan collects and sends the following data to the C&C server:

• the user’s mobile phone number and their accounts;
• contacts from the phonebook;
• the current date;
• the current geolocation;
• information about the files stored on the device;
• the app’s version.

At the same time, it duplicates some of this information in the attackers’ Telegram bot. For instance, the trojan sends it the geolocation data every time the device’s location changes.

After receiving information about the available files, threat actors can command the trojan to download and run additional modules that are to be used to steal the necessary files. The analysis performed by our specialists indicates that the creators of the trojan are particularly interested in confidential documents that users sent via the Telegram and WhatsApp messengers as well as the locLog location log file created directly by the Alpine Quest program.

As a result, Android.Spy.1292.origin not only allows user locations to be monitored but also confidential files to be hijacked. In addition, its functionality can be expanded via the download of new modules, which allows it to then execute a wider spectrum of malicious tasks.

Doctor Web’s specialists recommend installing Android programs only from reputable sources, such as official app catalogs, and opting against downloading software from Telegram channels and dubious websites, especially when it comes to supposedly freely available paid versions of programs. At the same time, it is important to pay attention to who is distributing the apps of interest, as attackers often disguise themselves as real developers, using similar names and logos.

To protect Android devices, it is essential to use an anti-virus. Dr.Web Security Space for mobile devices reliably detects and deletes the Android.Spy.1292.origin trojan, keeping our users well protected from this threat.

Indicators of compromise

More details about Android.Spy.1292.origin