ESET Research uncovers APT-C-23 group’s new Android spyware masked as Threema and Telegram
ESET researchers have analyzed a new version of Android spyware used by APT-C-23, a threat group active since at least 2017 that is known for mainly targeting the Middle East. The new spyware, detected by ESET security products as Android/SpyC23.A, builds upon previously reported versions with extended espionage functionality, new stealth features and updated C&C communication. One of the ways the spyware is distributed is via a fake Android app store, impersonating well-known messaging apps, such as Threema and Telegram, as a lure.
ESET researchers started investigating the malware when a fellow researcher tweeted about an unknown, little-detected Android malware sample in April 2020. “A collaborative analysis showed that this malware was part of the APT-C-23 arsenal – a new, enhanced version of their mobile spyware,” explains Lukáš Štefanko, the ESET researcher who analyzed Android/SpyC23.A.