{ "id": "bbd908e4-0af2-49f1-9422-abea85d79916", "created_at": "2026-04-06T00:12:10.873553Z", "updated_at": "2026-04-10T03:37:50.649701Z", "deleted_at": null, "sha1_hash": "206b45bc10aa7e61bd643a63db7dc836dc8aa426", "title": "Technical details on the Fancy Bear Android malware (poprd30.apk) – CrySyS Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 952279, "plain_text": "Technical details on the Fancy Bear Android malware\r\n(poprd30.apk) – CrySyS Blog\r\nPublished: 2017-01-03 · Archived: 2026-04-05 14:21:39 UTC\r\nBackground\r\nRecently, Crowdstrike has published details about a malicious Android APK file, named poprd30.apk or Попр-Д30.apk. It seems that the malware was created by the Fancy Bear group for tracking Ukrainian field artillery\r\nunits (more info on this can be found here: https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf). The corresponding APK is identified by the MD5\r\nhash 6f7523d3019fa190499f327211e01fcb on a related blog site https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/. However, not much technical details have been given by\r\nCrowdStrike on the attack. During discussions on the topic, Jeffrey Carr initiated discussions with us and has sent\r\nsome questions on if the case is real and how exactly the attack works, in particular, how the malware could have\r\nbeen used in military conflicts.\r\nWe carried out only a short investigation on the topic. Our goal was to uncover more technical details about the\r\nattack and to confirm the existence of the backdoor in the particular APK file.\r\nHighlights\r\nWe can confirm that the APK file known by the MD5 hash 6f7523d3019fa190499f327211e01fcb contains\r\na backdoor that tries to communicate with a remote server.\r\nThe server IP in the sample is http://69.90.132[.]215/\r\nThe malicious APK does not use GPS to get exact location of the infected phone, it does not even ask for\r\nGPS-level position information.\r\nWe note, however, that some location information can be collected by the malicious APK, mainly related to\r\nthe actual base station used by the phone and the WiFi status.\r\nThe implant in the malicious APK has similarities to the X-Agent implants of the Fancy Bear / APT28 /\r\nSofacy group described in former reports, but this is not necessarily  an evidence on the relationship as\r\nsuch similarities can be faked.\r\nWe uncovered two interesting items: the malware authors put the German word “nichts” as a string in the\r\ncode, as well, they made a typo “phone standart.”\r\nDetails\r\nIn February 2015, Trend Micro posted details about an iOS espionage app possibly related to the Pawn Storm  /\r\nSofacy / APT28 / Fancy Bear group. The technical details can be found at http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/. Figure 5 of the Trend Micro document shows\r\npossible URL GET parameters used by the malicious code:\r\nhttp://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/\r\nPage 1 of 6\n\nIn the poprd30.apk code very similar items can be found related to the malicious communications:\r\nBy looking into BuildConfig it seems that one recompiled this APK modified Androdi Debug Key.\r\nAs one can see, strings in the APK file are very similar to those in the X-Agent implant, and have the same\r\ncommon goal: make the HTTP request similar to normal HTTP GET requests with common parameters. However,\r\nthis similarity alone is not enough to state that the authors are the same, because it is very easy to copy this\r\nscheme.\r\nAlso, observe the initial value for the SERVER_ANSWER variable. It is “nichts,” which means “nothing” in\r\nGerman. We don’t know why a german word was used here. Note that this value is not used in the code, it stands\r\nonly as a default value. That means, if no value is received from the server, then the corresponding function will\r\nreturn this value instead of the information received from the server. In the RegG.java file, which has the similar\r\nSERVER_ANSWER value it is set to ‘{ “no_jobs”, “or”, “error” };’ for default value. Setting a default value\r\ngenerally helps developers to find out if the data transmission was successful in the parts of the code not close to\r\nthe transmission itself. One can simply check if the answer is still the default value, and if it is, it can be sure that\r\nthe transmission was not successfull without complicated routines. However, in this APK we found no reference\r\nfor checking if the SERVER_ANSWER has not been changed, and we don’t have clear idea why these two default\r\nvalues were used in the code.\r\nCommands\r\nhttp://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/\r\nPage 2 of 6\n\nCommunication routines are spread across multiple classes: DataConstructor, DataExtractor, Reg, RegG, RegP,\nRegPBin. The main handling of the commands is in MainService. It is not entirely clear why there are multiple\ncopies of some data and routines.\nThe malware sends basic info about the phone to the attacker as shown below:\nbyte[] arrayOfByte = Base64.encode((“\n\nCMD 101 success” + “ \n GoogleAccounts: ” + str1 + “ \n Device ID: ” + str2 + “ \n Model: ” + Build.MODEL\n + “ \n Manufacturer: ” + Build.MANUFACTURER + “ \n Phone standart: ” + str4 + “ \n Country: ” + str5 +\n “ \n MCC \u0026 MNC: ” + str6 + “ \n Base station: ” + str3 + “ \n Android version: ” + str7 + “ \n Android\n SDK: ” + m + “\n\n”).getBytes(), 0);\nThe malware can receive the following commands:\nCommands 103 105 108: stop itself\nCommand 100 : Send SMS History /commands are self-explanatory/\nCommand 101: Collect “all” information about the phone and send\nCommand 102: GetCallDetails (Call history)\nCommand 104: FetchContacts\nCommand 106: GetAppList\nCommand 107: GetWifiStatus (is any WiFi network available, what identifier, what MAC address, speed,\netc.)\nCommand 109: Browser history and bookmarks\nCommand 110: Mobile data usage\nCommand 111: Folders and files from sdcard directory\nCommand 112: File download (SDcard) for command\nCommand 101 – Gets GSM network LAC, CID info or base station info (coordinates) if CDMA, andorid\nversion, google accounts, device id, etc.\nhttp://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/\nPage 3 of 6\n\nCommand 101 has a typo “phone standart” which should be “standard” both in English and German.\r\nFor command 101, it is important to note that it can provide location related information. In case of GSM , the\r\nbase station related information can provide some (not so accurate) location information. Similarly, in case of\r\nCDMA, base station information is related to location, but it is not accurate either. In addition to the base station,\r\nWiFi information can also help an adversary to find out the approximate location of the phone, but it is nowhere\r\nclose to accurate detection of the real location of the phone.\r\nWe have not seen any GPS related commands in the code, not even the original “D30 guidance” functionality.\r\nMost likely, the APK does not use GPS data. To be even more precise, the application Manifest information does\r\nnot contain any requests related to GPS level locality permissions; it asks for  ACCESS_COARSE_LOCATION\r\nonly, which relates to the base station/WiFi based location information.\r\nEncryption – RC4\r\nThe malware uses communications encrypted by RC4, encoded by Base64 (or very similar – we did not check it\r\ncarefully), and CRC for error checking. These are very common, but the most important thing is the RC4\r\nimplementation and the key in use, which can be proved to be similar to the older X-Agent implants.\r\nhttp://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/\r\nPage 4 of 6\n\nThe corresponding RC4 key is also visible in the java byte code format:\r\nIn hex, the encryption key is 3B C6 73 0F 8B 07 85 c0 74 02 FF CC DE C7 04 FE 72 F1 5F 5E C3 56 B8 D8 78\r\n75 50 E8 B1 D1 FA 59 5D 55 EC 83 10 A1 33 35\r\nNote: Rc4 keys can be arbitrary length, and implementation is very easy, hence it is used many times.On the other\r\nhand, RC4 is not secure enough for real crypto operations.\r\nhttp://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/\r\nPage 5 of 6\n\nConclusions\r\nIn our investigations, we tried to check if the APK indicated in the CrowdStrike report had backdooor\r\nconnectivity. We can confirm, that this APK file has malicious functionality and can be used to collect intelligence\r\nfrom the users of the applet. Some additional technical details were discusssed. We (and probably CrowdStrike,\r\ntoo) had no access to the original, unmodified APK file.\r\nUPDATE1\r\nSome linux X-Agent versions used exactly the same RC4 key, see this screenshot:\r\nRC4 key in linux xagent\r\nSource: http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/\r\nhttp://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/" ], "report_names": [ "technical-details-on-the-fancy-bear-android-malware-poprd30-apk" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434330, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/206b45bc10aa7e61bd643a63db7dc836dc8aa426.pdf", "text": "https://archive.orkl.eu/206b45bc10aa7e61bd643a63db7dc836dc8aa426.txt", "img": "https://archive.orkl.eu/206b45bc10aa7e61bd643a63db7dc836dc8aa426.jpg" } }