Discover ESET

Our vision, values and technology.

Newsroom

Get the latest ESET updates.

Press releases

Company news at your fingertips.

Press contacts

Contact information for media and agencies.

Careers

Build a career with ESET.

ESET Research uncovers APT-C-23 group’s new Android spyware masked as Threema and Telegram

Next story

BRATISLAVA – ESET researchers have analyzed a new version of Android spyware used by APT-C-23, a threat group active since at least 2017 that is known for mainly targeting the Middle East. The new spyware, detected by ESET security products as Android/SpyC23.A, builds upon previously reported versions with extended espionage functionality, new stealth features and updated C&C communication. One of the ways the spyware is distributed is via a fake Android app store, impersonating well-known messaging apps, such as Threema and Telegram, as a lure.

ESET researchers started investigating the malware when a fellow researcher tweeted about an unknown, little-detected Android malware sample in April 2020. “A collaborative analysis showed that this malware was part of the APT-C-23 arsenal – a new, enhanced version of their mobile spyware,” explains Lukáš Štefanko, the ESET researcher who analyzed Android/SpyC23.A.

The spyware was found lurking behind seemingly legitimate apps in a fake Android app store. “When we analyzed the fake store, it contained both malicious and clean items. The malware was hiding in apps posing as AndroidUpdate, Threema and Telegram. In some cases, victims would end up with both the malware and the impersonated app installed,” comments Štefanko.

After installation, the malware requests a series of sensitive permissions, disguised as security and privacy features. “The attackers used social engineering-like techniques to trick victims into granting the malware various sensitive rights. For example, permission to read notifications is masked as a message encrypting feature,” details Štefanko.

Once initialized, the malware can carry out a range of espionage activities based on commands from its C&C server. Besides recording audio; exfiltrating call logs, SMS and contacts; and stealing files, the updated Android/SpyC23.A can also read notifications from messaging apps, make screen and call recordings, and dismiss notifications from some built-in Android security apps. The malware’s C&C communication has also undergone an update, making the C&C server more difficult to identify for security researchers.

The APT-C-23 group is known to have used both Windows and Android components in its operations, with the Android components first described in 2017 by Qihoo 360 Technology under the name Two-tailed Scorpion. Since then, multiple analyses of APT-C-23’s mobile malware have been published. Android/SpyC23.A – the group’s latest spyware version – features several improvements making it even more dangerous to victims.

“To stay safe from spyware, we advise Android users to only install apps from the official Google Play Store, double-check the permissions requested, and use a trustworthy and up-to-date mobile security solution,” concludes Štefanko.

For more technical details about this spyware, read the blog post “APT-C-23 group evolves its Android spyware” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

About ESET 
For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET’s high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET’s R&D centers worldwide, working in support of our shared future. For more information, visit www.eset.com or follow us on  LinkedIn, Facebook , and Twitter.