24 November 2021

APT C-23 hackers are targeting Middle East users with new Android spyware


APT C-23 hackers are targeting Middle East users with new Android spyware

APT C-23 hacker group has updated its Android spyware to include new features that allow it to be more resilient and stealthier while masquerading as seemingly benign app updates.

Active since at least 2017, APT C-23 (aka GnatSpy, FrozenCell, or VAMP) is primarily known for its attacks on targets in the Middle East.

Researchers from cybersecurity firm Sophos have spotted new variants of APT C-23’s spyware that “incorporated new features into their malicious apps that make them more resilient to actions by users, who might try to remove them manually, and to security and web hosting companies that attempt to block access to, or shut down, their command-and-control server domains.”

The new variants come in the form of an app that purports to install updates on the target’s phone, with names that include App Updates, System Apps Updates, or Android Update Intelligence. The researchers believe that the apps are delivered to specific users via SMS messages linking to downloads.

Once installed, the malware sends device parameters to its command-and-control server using a hardcoded C2 address. It also contains code that allows the operators of the spyware to push down a new address, which allows the malware to remain functional if one or several of the C2 server domains is taken down.

The first time the user opens the app, it requests specific permissions to perform a string of malicious activities, such as recording audio, accessing all files stored on the device, reading text messages and the names of contacts from various apps, including Facebook and WhatsApp, and dismissing notifications from other apps.

The spyware changes its icon and name to disguise itself using an icon of one of the four apps: Google Play, YouTube, Google, or Botim (a VOIP calling app).

“Once this happens, the next time the spyware app is opened, the spyware opens the real app whose disguise it wears, i.e., it opens Chrome if it disguises itself as Chrome, thereby giving an illusion to the user that the app is legit,” the researchers said.

“To avoid falling prey to such malicious apps, users should only install apps from trusted sources such as Google Play. Updating Android OS and applications should be done via Android Settings and Google Play respectively, instead of relying on a third-party app,” Sophos noted.


Back to the list

Latest Posts

Suspected Chinese hackers hit Amnesty International Canada

Suspected Chinese hackers hit Amnesty International Canada

The organization said that there is no evidence that any donor or membership data was exfiltrated during the attack.
7 December 2022
Russian hackers use western networks to attack Ukraine

Russian hackers use western networks to attack Ukraine

The researchers planted various Ukraine-themed documents and websites to lure Russian threat actors.
7 December 2022
EU funds a cyber lab in Ukraine

EU funds a cyber lab in Ukraine

The cyber lab will allow Ukraine to train military cyber defense professionals.
7 December 2022