A threat actor notorious for targeting targets in the Middle East has improved its Android spyware, allowing it to be stealthier and more persistent while passing itself off as seemingly innocuous app updates to remain undetected.
In a report published Tuesday, Sophos threat researcher Pankaj Kohli said that the new variants have “incorporated new features into their malicious apps that make them more resilient to actions by users, who might try to remove them manually, and to security and web hosting companies that try to block access to, or shut down, their command-and-control server domains.”
The mobile spyware has been a preferred tool of choice for the APT-C-23 threat group since at least 2017, with successive iterations featuring expanded surveillance functionality to vacuum files, images, contacts, and call logs, read notifications from messaging apps, record calls (including WhatsApp), and dismiss notifications from built-in Android security apps.
The malware has already been disseminated through phoney Android software stores posing as AndroidUpdate, Threema, and Telegram. The latest campaign is similar in that it uses apps with names like App Upgrades, System Apps Updates, and Android Update Intelligence to ostensibly install updates on the target’s phone. The spyware app is thought to be delivered by the attackers delivering a download link to the victim via phishing messages.
Once installed, the app begins seeking invasive permissions in order to carry out a series of harmful behaviours that are designed to evade manual removal. Not only does the programme modify its symbol to blend in with famous apps like Chrome, Google, Google Play, and YouTube, but if the user clicks the false icon, the authentic version of the software launches in the background, conducting surveillance duties.