A threat actor known for hitting targets in the Middle East has once again developed its Android spyware with enhanced features that allow it to be more insidious and more persistent, while posing as seemingly harmless app updates to stay afloat under the radar.
The new variants have “incorporated new features into their malicious apps that make them more resilient to actions from users who may be trying to remove them manually, and to security and web hosting companies trying to block access to or shut down their command. -and-control server domains, “said Sophos threat researcher Pankaj Kohli in a report released Tuesday.
Also known by the names VAMP, FrozenCell, GnatSpy and Desert Scorpion, the mobile spyware has been a preferred tool for the threat group APT-C-23 since at least 2017, with successive iterations with extended monitoring functionality to vacuum files, images, contacts and call logs, read messages from messaging apps, record calls (including WhatsApp) and reject messages from built-in Android security apps.
In the past, the malware has been distributed via fake Android app stores under the guise of AndroidUpdate, Threema and Telegram. The latest campaign does not differ in that they have the form of apps that pretend to install updates on the target phone with names like App Updates, System Apps Updates and Android Update Intelligence. It is believed that the attackers deliver the spyware app by sending a download link to the targets through smishing messages.
Once installed, the app starts requesting invasive permissions to perform a series of malicious activities designed to slip past any attempt to manually remove the malware. Not only does the app change its icon to hide behind popular apps like Chrome, Google, Google Play and YouTube, in case the user should click on the fraudulent icon, the legitimate version of the app is launched while running monitoring tasks in the background.
“Spyware is a growing threat in an increasingly connected world,” Kohli said. “The Android spyware associated with the APT-C-23 has been around for at least four years, and attackers continue to develop it with new techniques that avoid detection and removal.”