Fake Alpine Quest Mapping App Spotted Spying on Russian Military

Fake Alpine Quest app laced with spyware was used to target Russian military Android devices, stealing location data, contacts, and sensitive files.

A malicious version of Alpine Quest, a popular Android navigation app, has been found carrying spyware aimed at Russian military personnel. Security researchers at Doctor Web uncovered the modified software embedded with Android.Spy.1292.origin spyware capable of harvesting data and extending its functionality through remote commands.

Alpine Quest is commonly used by outdoor enthusiasts, but it’s also relied on by soldiers in Russia’s military zones due to its offline mapping features. That made it a convenient cover for attackers, who repackaged an older version of the app and pushed it as a free download through a fake Telegram channel. The link led to an app store targeting Russian users, where the infected software was listed as a pro version of the app.

Once installed, the spyware collects all sorts of information. Each time the app is opened, it sends the user’s phone number, account details, contacts, geolocation, and a list of files stored on the device to a remote server. Some of this data is also sent to a Telegram bot controlled by the attackers, including updated location details every time the user moves.

Doctor Web’s analysis shows that this spyware is capable of more than passive tracking. After identifying which files are available, the malware can be instructed to download new modules designed to extract specific content. Based on its behaviour, the attackers appear especially interested in documents shared through messaging apps like Telegram and WhatsApp. It also seeks out a file called locLog, created by Alpine Quest itself, which logs user movements in detail.

Because the spyware is bundled with a working version of the app, it looks and functions normally, giving it time to operate unnoticed. Its modular design also means its capabilities can grow over time, depending on the attackers’ goals.

Doctor Web advises users to avoid downloading apps from unofficial sources, even when they appear to offer free access to paid features. Even on official app stores, it’s best to avoid installing apps you don’t truly need. Malicious apps have been known to slip past review processes on both Google Play and the App Store.

At the time of writing, the group behind the campaign has not been identified, and it remains unclear whether this operation is domestic or foreign in origin. However, similar operations in the past have been linked to Ukrainian hacktivist groups, including Cyber Resistance, also known as the Ukrainian Cyber Alliance. In 2023, they reportedly targeted spouses of Russian military personnel, extracting sensitive and personal data. However, there is still no confirmed attribution for the group behind this spyware campaign.