From a little-known malware sample, security researchers found new Android spyware distributed through bogus messaging apps like Threema, Telegram, and WeMessage.
The malware comes from APT-C-23, a group of advanced hackers leading spy campaigns against military and educational institutions since before July 2015.
An updated version discovered earlier this year shows an impressive set of new features that allow spyware to dismiss notifications from security solutions running on Samsung, Xiaomi, and Huawei devices, thus being able to run silently.
Hiding in fake apps
In April 2020, a security researcher MalwareHunterTeam tweeted about spyware for Android that had a very low detection rate on VirusTotal. Upon examining the sample, ESET researchers discovered that it was part of the malware toolkit used by threat actor APT-C-23.
About two months later, in June, MalwareHunterTeam has found a new sample of the same malware hidden in the installation file of the Telegram messaging app available on DigitalApps, an unofficial Android store.
Since their security solution was among the few to detect APT-C-23’s new spyware in the wild, ESET began investigating and discovered that the malware was also lurking in other applications. listed in the store.
They found it in Threema, a secure messaging platform, and in AndroidUpdate, an app billing itself as a system update for the mobile platform.
With Threema and Telegram, the victim would get all the functionality of the apps along with the malware, thus masking the malicious nature of the bogus apps.
Perhaps in an attempt to limit the spread of the malware, the attackers added a fake download door by requiring a six-digit code.
ESET believes that using the DigitalApps store is just one of the distribution methods used by the threat actor to infect the victims, as they found other apps that were not available in the store but contained the same spyware.
However, the GUI of the malicious application differs from the original and appears to have been created by the attacker, indicating that it does not impersonate the legitimate product.
Enhanced set of features
The APT-C-23 is tracked under different names (Big Bang APT, Two-tailed Scorpion) by other cybersecurity companies. The group deploys malware for Windows (KasperAgent, Micropsia) and Android (GnatSpy, Vamp, FrozenCell) platforms [1, 2, 3, 4, 5], attacking targets in the Middle East.
Compared to previous spyware for Android, the latest version of APT-C-23 extends functionality beyond audio recording, theft of call / SMS / contact logs and specific file types (PDF , DOC, DOCX, PPT, PPTX, XLS, XLSX, TXT, JPG, JPEG, PNG).
ESET observed that the feature list now includes the ability to disable notifications from security apps built into devices from Samsung, Xiaomi and Huawei, allowing it to remain hidden even if its activity is detected.
In addition, it can now read notifications from messaging apps (WhatsApp, Facebook, Telegram, Instagram, Skype, Messenger, Viber), effectively stealing incoming messages.
The spyware can also record the screen (video and image) as well as incoming and outgoing calls via WhatsApp. It can also make calls secretly, creating a black screen overlay mimicking an idle phone.
ESET has published a technical report detailing the new capabilities of APT-C-23’s enhanced spyware, which provides useful indicators of compromise.