The cyberespionage group APT C-23 (also known as Gnat Spy, Frozen Cell, or VAMP) continues to attack Middle Eastern targets with upgraded Android spyware. It is disguised as seemingly harmless software upgrades (i.e. Android Update, Telegram).
What Did The Experts Say About The Spyware?
Individuals in the Middle East are targeted by the new variants due to their enhanced stealth and persistence capabilities. The malware is sent to targeted people in the form of SMS text messages with download links. Researchers at Sophos said the spyware mimics the appearance of an updated application, including generic icons and names like App Updates, System App Updates, or Android Update Intelligence. SOPHOS believes that specific users are receiving SMS texts with links to download apps. Sophos contacted Google’s Android security team and sent details about the apps, but we don’t know whether any of the apps were hosted on the Play Store. The new variants have “incorporated new features that make them more resilient to the removal of malicious apps by users, security, and web hosting companies who block access to, or shut down their command servers,” said Pankaj Kohli, a threat researcher at Sophos.
What Are The Salient Features Of The Spyware?
Since at least 2017, the APT-C-23 group has been targeting Palestinians with Android spyware.
- The application collects SMS, contacts, and call logs
- in addition to capturing images and documents
- The application records audio recordings of incoming and outgoing calls, including Whatsapp calls
- capturing screenshots and video recordings
- taking pictures with the camera
- making the camera’s icon invisible
- Getting notifications from WhatsApp, Facebook, Facebook Messenger, Telegram, Skype, IMO Messenger, and Signal
- The ability to cancel notifications from built-in security apps (such as Samsung SecurityLogAgent, Xiaomi MIUI Security Center, Huawei System Manager), as well as Android system apps, package installers, and internal notifications.
Since at least 2017, the APT-C-23 threat group has used mobile spyware to hoover files, photos, contacts, and call logs, read messaging app notifications, record calls (including WhatsApp), and disregard notifications from built-in Android security apps.
Previously, the malware was distributed by fake Android app stores under the guise of AndroidUpdate, Threema, and Telegram. As in the previous campaign, the latest campaign uses apps claiming to install updates on the target’s phone. These include apps called App Updates, System Apps Updates, and Android Update Intelligence. The attackers are thought to send the spyware app to the targets through smishing messages.
Upon installation, the app begins to ask for permission to perform a string of malicious activities that are designed to evade any attempts to manually remove it. In addition to changing its icon to hide behind popular apps such as Chrome, Google Play, and YouTube, when the user clicks the fraudulent icon, the legitimate version of the app launches, while surveillance tasks are being run in the background.
Spyware poses a growing threat in an increasingly connected world, Kohli said. Android spyware linked to APT-C-23 has existed for at least four years, and it continues to evolve using new techniques that evade detection and removal.