24 November 2021

APT C-23 hackers are targeting Middle East users with new Android spyware


APT C-23 hackers are targeting Middle East users with new Android spyware

APT C-23 hacker group has updated its Android spyware to include new features that allow it to be more resilient and stealthier while masquerading as seemingly benign app updates.

Active since at least 2017, APT C-23 (aka GnatSpy, FrozenCell, or VAMP) is primarily known for its attacks on targets in the Middle East.

Researchers from cybersecurity firm Sophos have spotted new variants of APT C-23’s spyware that “incorporated new features into their malicious apps that make them more resilient to actions by users, who might try to remove them manually, and to security and web hosting companies that attempt to block access to, or shut down, their command-and-control server domains.”

The new variants come in the form of an app that purports to install updates on the target’s phone, with names that include App Updates, System Apps Updates, or Android Update Intelligence. The researchers believe that the apps are delivered to specific users via SMS messages linking to downloads.

Once installed, the malware sends device parameters to its command-and-control server using a hardcoded C2 address. It also contains code that allows the operators of the spyware to push down a new address, which allows the malware to remain functional if one or several of the C2 server domains is taken down.

The first time the user opens the app, it requests specific permissions to perform a string of malicious activities, such as recording audio, accessing all files stored on the device, reading text messages and the names of contacts from various apps, including Facebook and WhatsApp, and dismissing notifications from other apps.

The spyware changes its icon and name to disguise itself using an icon of one of the four apps: Google Play, YouTube, Google, or Botim (a VOIP calling app).

“Once this happens, the next time the spyware app is opened, the spyware opens the real app whose disguise it wears, i.e., it opens Chrome if it disguises itself as Chrome, thereby giving an illusion to the user that the app is legit,” the researchers said.

“To avoid falling prey to such malicious apps, users should only install apps from trusted sources such as Google Play. Updating Android OS and applications should be done via Android Settings and Google Play respectively, instead of relying on a third-party app,” Sophos noted.


Back to the list

Latest Posts

The story of the four bears: Brief analysis of APT groups linked to the Russian government

The story of the four bears: Brief analysis of APT groups linked to the Russian government

In “The Four Bears” series we will tell you about the APT groups known as Fancy Bear, Cozy Bear, Voodoo Bear, and Berserk Bear.
17 January 2022
Cybersecurity year in review: Most notable APT hacks of 2021

Cybersecurity year in review: Most notable APT hacks of 2021

In 2021 nation-state actors somewhat faded into the background, but they still pose a significant threat.
17 January 2022
Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

The attackers exploited the Log4Shell vulnerability on ONUS’ Cyclos server to plant backdoor and exfiltrate data.
30 December 2021