Saturday, May 25, 2024
HomeCyber CrimeAPT C-23 Targeting Android Users in Middle East with Spyware

APT C-23 Targeting Android Users in Middle East with Spyware

The cyberespionage group APT C-23 (also known as Gnat Spy, Frozen Cell, or VAMP) continues to attack Middle Eastern targets with upgraded Android spyware. It is disguised as seemingly harmless software upgrades (i.e. Android Update, Telegram).


What Did The Experts Say About The Spyware?

Individuals in the Middle East are targeted by the new variants due to their enhanced stealth and persistence capabilities. The malware is sent to targeted people in the form of SMS text messages with download links. Researchers at Sophos said the spyware mimics the appearance of an updated application, including generic icons and names like App Updates, System App Updates, or Android Update Intelligence. SOPHOS believes that specific users are receiving SMS texts with links to download apps. Sophos contacted Google’s Android security team and sent details about the apps, but we don’t know whether any of the apps were hosted on the Play Store. The new variants have “incorporated new features that make them more resilient to the removal of malicious apps by users, security, and web hosting companies who block access to, or shut down their command servers,” said Pankaj Kohli, a threat researcher at Sophos.


What Are The Salient Features Of The Spyware? 

Since at least 2017, the APT-C-23 group has been targeting Palestinians with Android spyware.

  • The application collects SMS, contacts, and call logs
  • in addition to capturing images and documents
  • The application records audio recordings of incoming and outgoing calls, including Whatsapp calls
  • capturing screenshots and video recordings
  • taking pictures with the camera
  • making the camera’s icon invisible
  • Getting notifications from WhatsApp, Facebook, Facebook Messenger, Telegram, Skype, IMO Messenger, and Signal
  • The ability to cancel notifications from built-in security apps (such as Samsung SecurityLogAgent, Xiaomi MIUI Security Center, Huawei System Manager), as well as Android system apps, package installers, and internal notifications.

Since at least 2017, the APT-C-23 threat group has used mobile spyware to hoover files, photos, contacts, and call logs, read messaging app notifications, record calls (including WhatsApp), and disregard notifications from built-in Android security apps.

Previously, the malware was distributed by fake Android app stores under the guise of AndroidUpdate, Threema, and Telegram. As in the previous campaign, the latest campaign uses apps claiming to install updates on the target’s phone. These include apps called App Updates, System Apps Updates, and Android Update Intelligence. The attackers are thought to send the spyware app to the targets through smishing messages.

Upon installation, the app begins to ask for permission to perform a string of malicious activities that are designed to evade any attempts to manually remove it. In addition to changing its icon to hide behind popular apps such as Chrome, Google Play, and YouTube, when the user clicks the fraudulent icon, the legitimate version of the app launches, while surveillance tasks are being run in the background.


Spyware poses a growing threat in an increasingly connected world, Kohli said. Android spyware linked to APT-C-23 has existed for at least four years, and it continues to evolve using new techniques that evade detection and removal.







Please enter your comment!
Please enter your name here

Most Popular

Recent Comments

Izzi Казино онлайн казино казино x мобильді нұсқасы on Instagram and Facebook Video Download Made Easy with
Temporada 2022-2023 on CamPhish
2017 Grammy Outfits on Meesho Supplier Panel: Register Now!
React JS Training in Bangalore on Best Online Learning Platforms in India
DigiSec Technologies | Digital Marketing agency in Melbourne on Buy your favourite Mobile on EMI
亚洲A∨精品无码一区二区观看 on Restaurant Scheduling 101 For Better Business Performance

Write For Us