BRATISLAVA – ESET researchers have analysed a new version of Android spyware used by APT-C-23, a threat group active since at least 2017 that is known for mainly targeting the Middle East. The new spyware, detected by ESET security products as Android/SpyC23.A, builds upon previously reported versions with extended espionage functionality, new stealth features and updated C&C communication. One of the ways the spyware is distributed is via a fake Android app store, impersonating well-known messaging apps, such as Threema and Telegram, as a lure.
ESET researchers started investigating the malware when a fellow researcher tweeted about an unknown, little-detected Android malware sample in April 2020. “A collaborative analysis showed that this malware was part of the APT-C-23 arsenal – a new, enhanced version of their mobile spyware,” explains Lukáš Štefanko, the ESET researcher who analysed Android/SpyC23.A.
The spyware was found lurking behind seemingly legitimate apps in a fake Android app store. “When we analysed the fake store, it contained both malicious and clean items. The malware was hiding in apps posing as AndroidUpdate, Threema and Telegram. In some cases, victims would end up with both the malware and the impersonated app installed,” comments Štefanko.
After installation, the malware requests a series of sensitive permissions, disguised as security and privacy features. “The attackers used social engineering-like techniques to trick victims into granting the malware various sensitive rights. For example, permission to read notifications is masked as a message encrypting feature,” details Štefanko.
Once initialised, the malware can carry out a range of espionage activities based on commands from its C&C server. Besides recording audio, exfiltrating call logs, SMS and contacts, and stealing files, the updated Android/SpyC23.A can also read notifications from messaging apps, make screen and call recordings and dismiss notifications from some built-in Android security apps. The malware’s C&C communication has also undergone an update, making the C&C server more difficult to identify for security researchers.
The APT-C-23 group is known to have used both Windows and Android components in its operations, with the Android components first described in 2017 by Qihoo 360 Technology under the name Two-Tailed Scorpion. Since then, multiple analyses of APT-C-23’s mobile malware have been published. Android/SpyC23.A – the group’s latest spyware version – features several improvements making it even more dangerous to victims.
“To stay safe from spyware, we advise Android users to only install apps from the official Google Play Store, double-check the permissions requested and use a trustworthy and up-to-date mobile security solution,” concludes Štefanko.
For more technical details about this spyware, read the blog post “APT-C-23 group evolves its Android spyware” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.
About ESET
For more than 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defences in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centres worldwide, ESET is the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit our website or follow us on LinkedIn, Facebook and Twitter.