APT C-23 hacker group has updated its Android spyware to include new features that allow it to be more resilient and stealthier while masquerading as seemingly benign app updates.
Active since at least 2017, APT C-23 (aka GnatSpy, FrozenCell, or VAMP) is primarily known for its attacks on targets in the Middle East.
Researchers from cybersecurity firm Sophos have spotted new variants of APT C-23’s spyware that “incorporated new features into their malicious apps that make them more resilient to actions by users, who might try to remove them manually, and to security and web hosting companies that attempt to block access to, or shut down, their command-and-control server domains.”
The new variants come in the form of an app that purports to install updates on the target’s phone, with names that include App Updates, System Apps Updates, or Android Update Intelligence. The researchers believe that the apps are delivered to specific users via SMS messages linking to downloads.
Once installed, the malware sends device parameters to its command-and-control server using a hardcoded C2 address. It also contains code that allows the operators of the spyware to push down a new address, which allows the malware to remain functional if one or several of the C2 server domains is taken down.
The first time the user opens the app, it requests specific permissions to perform a string of malicious activities, such as recording audio, accessing all files stored on the device, reading text messages and the names of contacts from various apps, including Facebook and WhatsApp, and dismissing notifications from other apps.
The spyware changes its icon and name to disguise itself using an icon of one of the four apps: Google Play, YouTube, Google, or Botim (a VOIP calling app).
“Once this happens, the next time the spyware app is opened, the spyware opens the real app whose disguise it wears, i.e., it opens Chrome if it disguises itself as Chrome, thereby giving an illusion to the user that the app is legit,” the researchers said.
“To avoid falling prey to such malicious apps, users should only install apps from trusted sources such as Google Play. Updating Android OS and applications should be done via Android Settings and Google Play respectively, instead of relying on a third-party app,” Sophos noted.