Go to listing page

APT C-23 Targeting Android Users in Middle East with Spyware

APT C-23 Targeting Android Users in Middle East with Spyware
A report has been released detailing new variants of Android spyware associated with the APT C-23 group. The new variants boast improved stealth and persistence features and target individuals in the Middle East.

What has been observed?

According to Sophos researchers, the spyware impersonates an updated app with a generic icon and names containing words like App Updates, System Apps Updates, or Android Update Intelligence.
  • It spreads via a download link in a text message sent to the target’s phone.
  • When the spyware app is opened for the first time, it asks for several permissions to control the phone. Attackers have used social engineering to enable the required permissions, pretending that these are important for the app to function. 
  • After obtaining the required permissions, the spyware masks itself using the name and icon of a genuine app. Doing so makes it harder for users to spot or manually remove the spyware.

More about the new variants

The new variants of the spyware hide behind well-known app icons such as Chrome, Google Play, YouTube, Google, or the BOTIM voice-over-IP service.
  • If the victims click on a fraudulent icon, the spyware executes a genuine version of the app, while performing surveillance in the background.
  • The new variants share code with other malware samples linked with APT C-23. 
  • The researchers found Arabic language strings in the code and some of the text could be shown in either English/Arabic, based on the language setting of a victim’s phone.

A common flaw in the previous variants

  • Previous versions of this malware relied on a single C2 domain that was added to the app and controlled by the attackers. If a defender discovered and took down the domain, the spyware would stop.
  • However, this weakness is fixed in newer versions where it can switch the C2 server with a different domain. It allows the spyware to continue operation even after the takedown of the domain.

Conclusion

The attackers are fooling victims into installing malicious apps by presenting them as legitimate apps. To stay protected, users are suggested to install apps from official sources such as Google Play. Moreover, always update Android OS and applications via Android Settings and Google Play, respectively, as soon as patches are available.

Cyware Publisher

Publisher

Cyware