A report detailing new variants of Android spyware associated with the APT C-23 group has been released. The new variants have enhanced stealth and persistence capabilities and are aimed at individuals in the Middle East.
The spyware, according to Sophos researchers, impersonates an updated app with a generic icon and names that include words like App Updates, System Apps Updates, or Android Update Intelligence. It spreads through a download link embedded in a text message sent to the target’s phone. When the spyware app is first launched, it requests several permissions to control the phone. Attackers have used social engineering to obtain the necessary permissions, claiming that they are required for the app to function. After obtaining the necessary permissions, the spyware disguises itself by using the name and icon of a legitimate app. This makes it more difficult for users to detect and manually remove spyware.
The new spyware variants conceal themselves behind well-known app icons like Chrome, Google Play, YouTube, Google, or the BOTIM voice-over-IP service. If the victims click on a fake icon, the spyware launches a genuine version of the app while spying on them in the background. The new variants have code in common with other malware samples associated with APT C-23. The researchers discovered Arabic language strings in the code, and some of the text could be displayed in either English or Arabic depending on the language setting of a victim’s phone.
Previous versions of this malware relied on a single C2 domain that the attackers added to the app and controlled. The spyware would stop if a defender discovered and took down the domain. However, this flaw has been addressed in newer versions, which can switch the C2 server to a different domain. It enables the spyware to continue operating even after the domain has been taken down.
By posing as legitimate apps, the attackers dupe victims into installing malicious apps. Users are advised to install apps from official sources such as Google Play to stay safe. Furthermore, always update Android OS and applications via Android Settings and Google Play as soon as patches become available.