Recent reports about a new Android spyware variant have been published, linking to an advanced persistent threat (APT) group from the Middle East. Researchers said that the spyware-injected application that pretends to be a tool for updating other Android apps is designed to be persistent and stealthy in executing attacks. The new variant also shares code with other malware variants linked to C-23 APT.
According to researchers, the malware has a generic app icon and name distributed via phishing text messages with the download link sent to the victims, claiming to be an app that updates other Android apps.
Upon the victim downloading the app and accepting permission to access their devices, it will disguise itself under legitimate app names and icons, such as Google, YouTube, Chrome, and more, making it hard for the victim to locate and uninstall it. Naturally, the victim can click open the spyware app; however, the malicious app will launch the real version of the app it disguises itself with as it performs surveillance in the background.
The Android spyware app’s features in terms of surveillance include collecting text messages, contact lists, call logs, photos, audio recordings, and documents found on the infected device. It can also take pictures and screenshots, read notifications, record the device’s screen, and delete security app notifications.
The Android spyware is likely linked to APT C-23 and has been actively launching attacks for more than four years.
Threat actors who operate the spyware have continuously enhanced it with new attack tactics to avoid deletion and detection. With some help of social engineering techniques, threat actors are also luring their victims to grant all the permission the Android spyware requires to spy on every corner of the victim’s device.
Furthermore, it was found that the C-23 APT group has been actively launching cyberattacks in the Middle East since 2017. The newly discovered variants also detected share code with other malware variants linked to the APT group. The code within the spyware was also found with Arabic language strings, some of which could be rendered in either English or Arabic languages – subject to the victim’s device’s language setting and preference.
