A new strain of Android spyware has been identified embedded within a modified version of the AlpineQuest mapping app, reportedly used by Russian military personnel for planning operations in active conflict zones.
Security researchers at Russian antivirus firm Doctor Web discovered the malware, which they track as Android.Spy.1292.origin. The malicious code is hidden inside a functioning version of the premium AlpineQuest Pro app. This approach allows the spyware to remain undetected while quietly harvesting sensitive data.
Trojanized AlpineQuest Used to Target Russian Forces
Attackers are distributing the trojanized version through Russian-language Telegram channels and app catalogs, offering it as a free cracked edition of the legitimate AlpineQuest Pro.
AlpineQuest is a GPS mapping tool widely used by adventurers, athletes, and emergency responders for its offline capabilities and high location accuracy. It is also popular among soldiers and includes two official versions—a free Lite edition and a paid Pro version that lacks tracking libraries or ads.
The infected app closely mimics the real AlpineQuest, ensuring it runs as expected while performing covert surveillance operations.
Spyware Capabilities Include Location Monitoring and File Theft
Once the trojanized app is launched, the embedded spyware begins extracting data from the infected device. The malware performs the following actions:
- Sends the device’s phone number, contact list, geolocation, file metadata, and app version to a remote server.
- Tracks and sends real-time location changes to a Telegram bot controlled by the attackers.
- Downloads additional malicious components to extract sensitive files, including those exchanged on Telegram and WhatsApp.
- Attempts to retrieve a file called locLog from AlpineQuest, which contains the user’s historical location data.
The origin of the spyware remains unknown. Doctor Web did not attribute the malware to any known threat group.
Spyware Activity Mirrors Russian Cyber Tactics Used Against Ukraine
Historically, this method of targeting military personnel using trojanized tools has been associated with Russian operations. In 2022, attackers used a compromised Ukrainian Ministry of Defense email to distribute malware. Other campaigns in 2024 and early 2025, including those by threat actor UNC5812 and APT44, targeted Ukrainian forces using fake agencies and malicious QR codes.
“Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services,” a Google spokesperson told BleepingComputer on April 24. “Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
The use of the AlpineQuest app in this recent campaign marks a shift, as Russian forces themselves become the target of similar cyber techniques.
