New Android Spyware Variants Linked to Middle Eastern APT

ThycoticCentrify Integrates Secret Server With Privileged Access Management Platform

New variants of Android spyware linked to a Middle East advanced persistent threat group (APT) have been designed to be insidious and more persistent, Sophos researchers reported today.

This malware appears as an update app with a generic icon and name – for example “App Updates” – and researchers believe it is distributed as a download link in a text message sent to the victim’s phone. When a victim runs the app, it requests permission to control different parts of the phone. The attackers use social engineering to convince the victims that this control is necessary.

If the victim gives permissions, spyware hides itself under the name and icon of a legitimate app, making it harder for the user to find and remove it. The new variants have more and varied disguises than previous versions and hide behind the icons of popular apps like Google, Chrome, Google Play and YouTube. If the user clicks on the fake icon, the spyware launches a legitimate version of the app while performing background monitoring.

The malicious features of previous iterations are the same: collecting text from SMS and other apps, contacts, call logs, documents and pictures; recording ambient sound along with incoming and outgoing calls; take pictures and screenshots; recording the device screen; reading messages from social media and messaging apps; and cancellation of security app notifications.

“Android spyware linked to the APT C-23 has been around for at least four years, and attackers continue to develop it with new techniques that avoid detection and removal,” threat researcher Pankaj Kohli wrote in a release. “Attackers are also using social engineering to entice victims to provide the necessary permissions to look into every corner of their digital lives.”

C-23 APT has been active in the Middle East since 2017, and these new variants discovered share code with other malware examples attributed to the group. Researchers also found Arabic language strings in the code, reporting that some of the text could be presented in English or Arabic, depending on the language setting of a victim’s device.

Read more details here.


Please enter your comment!
Please enter your name here