April 23, 2025 By Bill Toulas
A new Android malware has been discovered hidden inside trojanized versions of the Alpine Quest mapping app, which is reportedly used by Russian soldiers as part of war zone operational planning.
Attackers promote the trojanized app as a free, cracked version of the premium Alpine Quest Pro, using Telegram channels and Russian app catalogs for distribution.
AlpineQuest is a legitimate GPS and topographic mapping app for Android used by adventurers, athletes, search-and-rescue teams, and military personnel, valued for its offline capabilities and precision.
The app has two versions: a free Lite version with limited features and a paid Pro version that is free of tracking libraries, analytics, and advertisements.
The spyware, which was discovered by researchers at Russian mobile antivirus company Doctor Web, hides inside a fully working Alpine Quest app, reducing suspicion and creating valuable data theft opportunities.
Once launched, it attempts to steal communication data and sensitive documents from the device, potentially revealing details about army operations. Specifically, the spyware performs the following actions:
Sends the user's phone number, contacts, geolocation, file info, and app version to attackers.
Monitors location changes in real-time and sends updates to a Telegram bot.
Downloads additional modules to steal confidential files, especially those sent via Telegram and WhatsApp.
Seeks the 'locLog' file from Alpine Quest, which contains location history logs.
Doctor Web tracks the previously undocumented spyware as 'Android.Spy. 1292.origin' but did not make any attributions about its origin in its report. Indicators of compromise are available here.