Russia’s spies using new crude malware to target Android devices in Ukraine


The Russian military intelligence service GRU can access compromised Android devices with a new malware dubbed Infamous Chisel. Spotted and described by Ukraine’s security agency, the technical details of the malicious campaign were published by the National Cyber Security Centre (NCSC) in the UK and international partners.

A new report supports the attribution that the Russian military intelligence service, the GRU, has carried out the malicious campaign.

Infamous Chisel malware is associated with the threat actor Sandworm. The NCSC has previously attributed the Sandworm actor to the Russian GRU’s Main Centre for Special Technologies GTsST.

Sandworm uses new malware in a campaign targeting Android devices used by the Ukrainian military. The new malware enables unauthorized access to compromised devices and is designed to scan files, monitor traffic, and periodically steal sensitive information, the report writes.

The malware periodically scans the device for information and files of interest, matching a predefined set of file extensions. It also contains functionality to regularly monitor the local network, collating information about active hosts, open ports, and banners.

Infamous Chisel provides network backdoor access via a Tor (The Onion Router) hidden service and Secure Shell (SSH). Other capabilities include network monitoring and traffic collection, SSH access, network scanning, and SCP file transfer.

The campaign was publicly uncovered by Ukraine’s security agency, the SBU, earlier this month.

“The Infamous Chisel components are low to medium sophistication and appear to have been developed with little regard to defense evasion or concealment of malicious activity,“ the report writes.

It mentions that components lack basic obfuscation or stealth techniques to disguise activity. The threat actor may have deemed this feature unnecessary since many Android devices do not have a host-based detection system. The malware targets military applications and exfiltration of military data and intends to gain access to these networks.

To maintain persistence, the malware replaces the legitimate netd executable, a crucial system-level component responsible for managing network-related functionality and settings.

Even with a lack of concealment, the malware’s components “present a serious threat because of the impact of the information they can collect.”

The UK has expressed an ongoing commitment to support Ukraine in the face of Russian attacks, including in the area of cyber defense.

“The exposure of this malicious campaign against Ukrainian military targets illustrates how Russia’s illegal war in Ukraine continues to play out in cyberspace,” said Paul Chichester, NCSC Director of Operations. “The UK is committed to calling out Russian cyber aggression and we will continue to do so.”


Ukraine has faced an unprecedented barrage of attacks originating in Russia and has successfully defended itself and bolstered its overall digital resilience with support from international partners in government and industry, NCSC writes.

As announced by the UK’s Prime Minister Rishi Sunak in June, the UK-funded Ukraine Cyber Programme would be boosted by an additional injection of up to £25 million and a two-year expansion to help Ukraine protect its critical national infrastructure and vital public services online.

The malware analysis report has been jointly issued by the NCSC and corresponding agencies in the United States, Australia, Canada, and New Zealand.