New Android Spyware Variants Linked to Middle Eastern APT

The new variants, improved for stealth and persistence, share code with other malware samples attributed to the C-23 APT.

Dark Reading Staff, Dark Reading

November 23, 2021

2 Min Read
Dark Reading logo in a gray background | Dark Reading

New variants of Android spyware linked to a Middle Eastern advanced persistent threat (APT) group have been designed to be stealthier and more persistent, Sophos researchers reported today.

This malware appears as an update app with a generic icon and name — for example, "App Updates" — and researchers believe it's distributed as a download link in a text message sent to the victim's phone. When a victim runs the app, it requests permission to control different parts of the phone. The attackers use social engineering to convince victims this control is necessary.

If the victim grants permissions, the spyware disguises itself under the name and icon of a legitimate app, making it harder for the user to find and remove it. The new variants have more and varied disguises than earlier versions and hide behind the icons of popular apps like Google, Chrome, Google Play, and YouTube. If the user clicks the fake icon, the spyware launches a legitimate version of the app while conducting surveillance in the background.

The malicious features of earlier iterations are the same: gathering text from SMS and other apps, contacts, call logs, documents, and images; recording ambient audio along with incoming and outgoing calls; taking pictures and screenshots; recording the device's screen; reading notifications from social media and messaging apps; and canceling security app notifications.

"The Android spyware linked to APT C-23 has been around for at least four years, and attackers continue to develop it with new techniques that evade detection and removal," wrote threat researcher Pankaj Kohli in a release. "The attackers also use social engineering to lure victims into granting the permissions needed to see into every corner of their digital life."

The C-23 APT has been active in the Middle East since 2017, and these new variants detected share code with other malware samples attributed to the group. Researchers also found Arabic language strings in the code and report some of the text could be presented in English or Arabic, depending on the language setting of a victim's device.

Read more details here.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights