Malicious DELTA themed Android App found in 2025
More malicious activity utilising DELTA themes from a suspected Russia-based threat actor
Visualisation of the Android application by the sandbox provider Hybrid Analysis
Executive Summary
A suspected Russia-based threat actor has developed a new Android malware toolkit which is likely capable of stealing files and information from a phone. The threat actor has used a Ukrainian military theme common among many Russia-based threat actors. This Android application is not available on common multi-antivirus scanners like VirusTotal.
Analysis
Note: My analysis of this file is limited due to my inability to download this file as I am not a vetted member of the online sandbox provider. I’m publishing this blog to make all security researchers aware of this activity and to conduct further research if possible. I’m also publishing this to verify myself as a researcher to Hybrid Analysis. If anyone has the capability to download the sample please send to hello[@]itsjack[.]cc
While conducting research on the Ukraine Russian conflict I stumbled upon a malicious Android application which was determined as being clean by AntiVirus providers according to online scanning service MetaDefender. These scanning results aren’t always clear, as some security technologies cannot be correctly applied like normal environments which skew results. However, what is clear is that from the scanning services provided in MetaDefender, none determine this to be malicious or a threat. Hybrid Analysis through its capabilities in understanding the Android application via dynamic and static analysis, have also determined this sample is not a threat.1
From my analysis, this sample is a threat and is likely used to steal information. The sample in question is briefly described below:
Filename: DELTA.mil.gov.ua (РФ).apk
SHA256 Hash: 827d77be9a145df7826558ec62fdefb1609827001f182b6b900511109858c80f
Size: 9133663 bytes (8.7MB)
Description: Malicious Android Application
File Format: APK
File Submission Date: 26-02-2025 16:38:05The filename indicates a DELTA military theme, using the filename DELTA.mil.gov.ua (РФ).apk. DELTA is a situational awareness and battlefield management system developed by the Ukrainian military.2 The system upholds strict NATO security standards.3 This isn’t the first time that DELTA has been used as a theme in an attack. In December 2022 CERT-UA reported DELTA themed spear phishing of its defence staff which described DELTA needing a certificate update.4 Between July and October 2024, a well known Russia-based threat actor was conducting phishing using DELTA themes.56
The sample like every Android application is signed, however, the Android application is essentially self-signed, using a debug keystore. Due to the signed certificate we can determine how long ago this application was built from the following details:
Owner: C=US, O=Android, CN=Android Debug
Issuer: C=US, O=Android, CN=Android Debug Serial: 1
Validity: 01/14/2025 11:38:18 - 01/07/2055 11:38:18
Hashes (MD5, SHA1):
07:8E:6A:D6:DA:31:D4:33:65:D3:93:05:5D:04:37:59
1E:46:8C:CF:4B:CC:8F:C8:78:DC:1C:3E:83:80:B7:6E:6B:1A:55:50This application would have been unable to be distributed through the Google Play store as it was signed by a debug keystore. It was likely self-distributed. Ukrainian military themed malicious android applications have been previously observed by threat intelligence companies. For example, Google TAG (Threat Analysis Group) observed in March 2022 Turla distribute a Cyber Azov Android application.7 In 2016, CrowdStrike identified a malicious Android application attributed to Fancy Bear tracking field artillery units.8
The APK requests the following permissions according to its application manifest:
android.permission.INTERNET
android.permission.READ_EXTERNAL_STORAGE
android.permission.READ_CONTACTS
xss.nmz.gallgrab_nmz.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION
One detail was interesting to me, xss.nmz.gallgrab_nmz, the name for applications entry point. When conducting open source research I found details related to malicious android application code, intending to steal gallery pictures from an infected device.910 I assess it is probable it does not originate from these sources, but originates from XSS.IS, a Russian cyber crime forum originally called DamageLab. However, it should be noted in the former source, we do see in the forum a user called NMZ describing the code in detail. The first source was published in July 2023 and the second source was published in October 2024, indicating the first is the more authentic between the two.
I assess it is highly probable the developer of the malicious application utilised this project as a template before providing extensible features. When comparing the permissions we identify differences:
Requested permissions found in 2023 code:
android.permission.INTERNET
android.permission.READ_MEDIA_IMAGESRequested permissions found in malicious application in 2025:
android.permission.INTERNET
android.permission.READ_EXTERNAL_STORAGE
android.permission.READ_CONTACTSThere are also differences in Android libraries, for example, okhttp11 is a library referenced regularly in our malicious Android application, compared to 2023 code which utilises Javas HttppurLConnection or raw sockets. Utilisation of crime toolkits or resources is common among Russia-based threat actors, for example ROMCOM was first suspected of being a financially motivated threat actor, but later showed indications of espionage as well.12
From my analysis, this project is highly likely designed to steal files from a phone and send them to a C2 server. Without the sample to conduct reverse engineering, I can’t go any further in understanding the sample. However, I would assess it is probable that this is likely a Russia-based threat actor targeting a Ukrainian entity, or Ukrainian aligned entity.
Indicators of Compromise
SHA256: 827d77be9a145df7826558ec62fdefb1609827001f182b6b900511109858c80fMITRE ATT&CK
T1592.002 - Gather Victim Host Information: Software - https://attack.mitre.org/techniques/T1592/002/
T1587.001 - Develop Capabilities: Malware - https://attack.mitre.org/techniques/T1587/001/
T1204.002 - User Execution: Malicious File - https://attack.mitre.org/techniques/T1204/002/
T1083 - File and Directory Discovery - https://attack.mitre.org/techniques/T1083/
T1005 - Data from Local System - https://attack.mitre.org/techniques/T1005/
Appendix
Original URL: https://hybrid-analysis.com/sample/827d77be9a145df7826558ec62fdefb1609827001f182b6b900511109858c80f/67bf436cb4c83df26c069707
https://hybrid-analysis.com/sample/827d77be9a145df7826558ec62fdefb1609827001f182b6b900511109858c80f
https://mil.in.ua/en/news/ukraine-unveiled-its-own-delta-situational-awareness-system/
https://mod.gov.ua/en/news/in-ukraine-for-the-first-time-the-cyber-security-of-the-combat-system-was-tested-according-to-nato-standards
https://cert.gov.ua/article/3349703
https://urlscan.io/result/2e3329b8-c072-4a8c-8b8d-8bdf805b8010/
https://urlscan.io/result/431bb809-7471-4785-9bc6-cf8ebbb71b30/
https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/
https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf
https://lolz.live/threads/7713628/
https://happenedyesterday.icu/software/android/android-gallery-stealer-source-code-english-android-photos-whatsapp-grab/
https://github.com/square/okhttp
https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/