APT

APT C-23 group targets Middle East with an enhanced Android spyware variant

A threat actor, tracked as APT C-23, is using new powerful Android spyware in attacks aimed at targets in the Middle East.

The APT C-23 cyberespionage group (also known as GnatSpy, FrozenCell, or VAMP) continues to target entities in the Middle East with enhanced Android spyware masqueraded as seemingly harmless app updates (i.e. AndroidUpdate,, Telegram). The spyware is delivered to specific users via SMS text messages containing download links.

Experts from Sophos reported that recently discovered variants of Android spyware implement new features to avoid being removed by the users and to security firms that attempt to dismantle C2 infrastructure.

APT-C-23 group is using Android spyware since at least 2017, most of the targets were in the Palestinian Territories

“The new variants appear in the form of an app that purports to install updates on the target’s phone, with names that include App Updates, System Apps Updates, or Android Update Intelligence. Sophos suspects that the apps are delivered to specific users by means of SMS text messages linking to downloads.” reads the analysis published by Sophos.

None of the apps analyzed by the researchers have been hosted on the official Google Play Store.

Across the years the APT-C-23 threat group has implemented additional spying capabilities, below is the list of functionalities currently implemented:

  • Collects SMS, contacts, call logs
  • Collects images and documents
  • Recording audio, incoming and outgoing calls, including WhatsApp calls
  • Taking screenshots and recording video of the screen
  • Taking pictures using the camera
  • Hiding its own icon
  • Reading notifications from WhatsApp, Facebook, Facebook Messenger, Telegram, Skype, IMO Messenger, or Signal
  • Canceling notifications from built-in security apps (such as Samsung SecurityLogAgent, Xiaomi MIUI SecurityCenter, Huawei SystemManager), as well as from Android system apps, package Installer, and its own notifications

Upon opening the app, it requests that the user grant the app permissions to perform surveillance actions such as to access to the microphone to record audio and all files stored on the device.

The malicious apps use social engineering to ask the user to grant advanced permissions. They justify the need for the additional features with fake argumentation, for instance, the request to “Enable Notifications” claims that the app needs this functionality or else “you won’t receive notifications in real time.”

The app asks the user to Enable the device admin permission or “system won’t secure your internet connection.”

Once the app has obtained all the permissions, it changes its icon and name to disguise itself using an icon of one of the popular apps such as Google Play, Youtube, Google, or Botim (a VOIP calling app). Then, the next time the victim will open the spyware, the malware will also launch the real app whose disguise it wears to avoid raising suspicion.

“To avoid falling prey to such malicious apps, users should only install apps from trusted sources such as Google Play. Updating Android OS and applications should be done via Android Settings and Google Play respectively, instead of relying on a third-party app.” concludes the analysis. “Users should be particularly wary of apps asking for sensitive permissions such as device admin, notification access, or those requiring superuser/root access. Users can view the apps currently having device admin and notification access permissions by browsing to Settings and searching for “Device admin apps” and “Notification access” respectively.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Cyclone)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

New Triada Trojan comes preinstalled on Android devices<gwmw style="display:none;"></gwmw>

A new Triada trojan variant comes preinstalled on Android devices, stealing data on setup, warn…

2 hours ago

New advanced FIN7’s Anubis backdoor allows to gain full system control on Windows

FIN7 cybercrime group has been linked to Anubis, a Python-based backdoor that provides remote access…

10 hours ago

U.S. CISA adds Apache Tomcat flaw to its Known Exploited Vulnerabilities catalog<gwmw style="display:none;"></gwmw>

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apache Tomcat flaw to its Known Exploited…

18 hours ago

Apple backported fixes for three actively exploited flaws to older devices

Apple backports three critical vulnerabilities actively exploited in attacks against older iOS and macOS models.…

23 hours ago

Spike in Palo Alto Networks scanner activity suggests imminent cyber threats

Hackers are scanning for vulnerabilities in Palo Alto Networks GlobalProtect portals, likely preparing for targeted…

1 day ago

Microsoft warns of critical flaw in Canon printer drivers

Microsoft’s offensive security team discovered a critical code execution vulnerability impacting Canon printer drivers.  Researchers…

2 days ago