ESET researchers have analyzed a new version of Android spyware used by APT-C-23, a threat group active since at least 2017 that is known for mainly targeting the Middle East. The new spyware, detected by ESET security products as Android/SpyC23.A, builds upon previously reported versions with extended espionage functionality, new stealth features and updated C&C communication. One of the ways the spyware is distributed is via a fake Android app store, impersonating well-known messaging apps, such as Threema and Telegram, as a lure.

ESET researchers started investigating the malware when a fellow researcher tweeted about an unknown, little-detected Android malware sample in April 2020. “A collaborative analysis showed that this malware was part of the APT-C-23 arsenal – a new, enhanced version of their mobile spyware,” explains Lukáš Štefanko, the ESET researcher who analyzed Android/SpyC23.A. 

The spyware was found lurking behind seemingly legitimate apps in a fake Android app store. “When we analyzed the fake store, it contained both malicious and clean items. The malware was hiding in apps posing as AndroidUpdate, Threema and Telegram. In some cases, victims would end up with both the malware and the impersonated app installed,” comments Štefanko. 

After installation, the malware requests a series of sensitive permissions, disguised as security and privacy features. “The attackers used social engineering-like techniques to trick victims into granting the malware various sensitive rights. For example, permission to read notifications is masked as a message encrypting feature,” details Štefanko. 

Once initialized, the malware can carry out a range of espionage activities based on commands from its C&C server. Besides recording audio; exfiltrating call logs, SMS and contacts; and stealing files, the updated Android/SpyC23.A can also read notifications from messaging apps, make screen and call recordings, and dismiss notifications from some built-in Android security apps. The malware’s C&C communication has also undergone an update, making the C&C server more difficult to identify for security researchers. 

The APT-C-23 group is known to have used both Windows and Android components in its operations, with the Android components first described in 2017 by Qihoo 360 Technology under the name Two-tailed Scorpion. Since then, multiple analyses of APT-C-23’s mobile malware have been published. Android/SpyC23.A – the group’s latest spyware version – features several improvements making it even more dangerous to victims. 

“To stay safe from spyware, we advise Android users to only install apps from the official Google Play Store, double-check the permissions requested, and use a trustworthy and up-to-date mobile security solution,” concludes Štefanko. 

For more technical details about this spyware, read the blog post “APT-C-23 group evolves its Android spyware” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.