Threat Research

Lookout Identifies and Dissects Android App Used by Russian Sandworm APT | Threat Intel

Lookout

Lookout identified and analyzed an Android sample of Deblind — a component of Infamous Chisel surveillance tooling used by the Sandworm APT to monitor user activity on compromised devices. The tool is installed as a privileged system app, enables ADB and developer options, and relies on other Infamous Chisel components to exfiltrate logs linked to Sandworm campaigns against Ukrainian targets #Deblind #InfamousChisel #Sandworm #UkrainianMilitary #Android

Keypoints

  • Deblind is a system-level Android surveillance app component tied to Infamous Chisel and Sandworm.
  • It monitors user activity via Android accessibility services and stores logs as encrypted JSON on the device.
  • The sample runs with root privileges using the su binary to enable ADB and developer options.
  • Exfiltration of logs is performed by other Infamous Chisel components, leveraging tools like netd and DropBear.
  • Sandworm is a Russian state-sponsored APT with a history of espionage and destructive campaigns, including activity against Ukrainian targets.

MITRE Techniques

  • [T1056] Input Capture – ‘monitoring device activity via accessibility services, logging accessibility events as JSON objects stored on the device’.
  • [T1036] Masquerading – ‘The Deblind Android app sample has the package name “com.android.system.update” and is meant to be installed as a system app based on use of a shared user ID value of “android.uid.system”’.
  • [T1074] Data Staged – ‘Deblind stages user activity logs to the device, but relies on other Infamous Chisel components to exfiltrate these logs.’
  • [T1548] Abuse Elevation of Privilege – ‘The Deblind app runs hard-coded commands by using the “su” binary. These commands were run by classes that run on boot as well as from the MainActivity class’.

Indicators of Compromise

  • [FileName] com.android.system.update – Deblind system app package name used to masquerade as a system app
  • [FileName] netd – malicious SSH-related binary used within Infamous Chisel to gain root access
  • [FileName] DropBear – external modified SSH server tool used by Infamous Chisel
  • [FilePath] /system/priv-app – target path for installing the system app
  • [FilePath] /Android/data/com.android.system/cache/ – directory storing locally encrypted logs

Read more: https://www.lookout.com/threat-intelligence/article/russian-sandworm-apt-infamous-chisel-deblind-spyware