24 November 2021

APT C-23 hackers are targeting Middle East users with new Android spyware


APT C-23 hackers are targeting Middle East users with new Android spyware

APT C-23 hacker group has updated its Android spyware to include new features that allow it to be more resilient and stealthier while masquerading as seemingly benign app updates.

Active since at least 2017, APT C-23 (aka GnatSpy, FrozenCell, or VAMP) is primarily known for its attacks on targets in the Middle East.

Researchers from cybersecurity firm Sophos have spotted new variants of APT C-23’s spyware that “incorporated new features into their malicious apps that make them more resilient to actions by users, who might try to remove them manually, and to security and web hosting companies that attempt to block access to, or shut down, their command-and-control server domains.”

The new variants come in the form of an app that purports to install updates on the target’s phone, with names that include App Updates, System Apps Updates, or Android Update Intelligence. The researchers believe that the apps are delivered to specific users via SMS messages linking to downloads.

Once installed, the malware sends device parameters to its command-and-control server using a hardcoded C2 address. It also contains code that allows the operators of the spyware to push down a new address, which allows the malware to remain functional if one or several of the C2 server domains is taken down.

The first time the user opens the app, it requests specific permissions to perform a string of malicious activities, such as recording audio, accessing all files stored on the device, reading text messages and the names of contacts from various apps, including Facebook and WhatsApp, and dismissing notifications from other apps.

The spyware changes its icon and name to disguise itself using an icon of one of the four apps: Google Play, YouTube, Google, or Botim (a VOIP calling app).

“Once this happens, the next time the spyware app is opened, the spyware opens the real app whose disguise it wears, i.e., it opens Chrome if it disguises itself as Chrome, thereby giving an illusion to the user that the app is legit,” the researchers said.

“To avoid falling prey to such malicious apps, users should only install apps from trusted sources such as Google Play. Updating Android OS and applications should be done via Android Settings and Google Play respectively, instead of relying on a third-party app,” Sophos noted.


Back to the list

Latest Posts

Amid Pegasus scandal, Israel bans cyber software sales to 65 countries

Amid Pegasus scandal, Israel bans cyber software sales to 65 countries

Dropped countries include such countries as Morocco, Mexico, Saudi Arabia, or the UAE.
26 November 2021
CronRAT: New Linux malware that hides behind February 31 to stay undetected

CronRAT: New Linux malware that hides behind February 31 to stay undetected

The malware hides in the Linux calendar system and enables server-side Magecart data theft which bypasses browser-based security solutions.
26 November 2021
New malware campaign targets crypto, NFT and DeFi communities via Discord

New malware campaign targets crypto, NFT and DeFi communities via Discord

The Babadeda crypter is able to bypass signature-based antivirus solutions and was previously observed in malicious campaigns distributing RATs, and LockBit ransomware.
26 November 2021