APT

APT C-23 group targets Middle East with an enhanced Android spyware variant

A threat actor, tracked as APT C-23, is using new powerful Android spyware in attacks aimed at targets in the Middle East.

The APT C-23 cyberespionage group (also known as GnatSpy, FrozenCell, or VAMP) continues to target entities in the Middle East with enhanced Android spyware masqueraded as seemingly harmless app updates (i.e. AndroidUpdate,, Telegram). The spyware is delivered to specific users via SMS text messages containing download links.

Experts from Sophos reported that recently discovered variants of Android spyware implement new features to avoid being removed by the users and to security firms that attempt to dismantle C2 infrastructure.

APT-C-23 group is using Android spyware since at least 2017, most of the targets were in the Palestinian Territories

“The new variants appear in the form of an app that purports to install updates on the target’s phone, with names that include App Updates, System Apps Updates, or Android Update Intelligence. Sophos suspects that the apps are delivered to specific users by means of SMS text messages linking to downloads.” reads the analysis published by Sophos.

None of the apps analyzed by the researchers have been hosted on the official Google Play Store.

Across the years the APT-C-23 threat group has implemented additional spying capabilities, below is the list of functionalities currently implemented:

  • Collects SMS, contacts, call logs
  • Collects images and documents
  • Recording audio, incoming and outgoing calls, including WhatsApp calls
  • Taking screenshots and recording video of the screen
  • Taking pictures using the camera
  • Hiding its own icon
  • Reading notifications from WhatsApp, Facebook, Facebook Messenger, Telegram, Skype, IMO Messenger, or Signal
  • Canceling notifications from built-in security apps (such as Samsung SecurityLogAgent, Xiaomi MIUI SecurityCenter, Huawei SystemManager), as well as from Android system apps, package Installer, and its own notifications

Upon opening the app, it requests that the user grant the app permissions to perform surveillance actions such as to access to the microphone to record audio and all files stored on the device.

The malicious apps use social engineering to ask the user to grant advanced permissions. They justify the need for the additional features with fake argumentation, for instance, the request to “Enable Notifications” claims that the app needs this functionality or else “you won’t receive notifications in real time.”

The app asks the user to Enable the device admin permission or “system won’t secure your internet connection.”

Once the app has obtained all the permissions, it changes its icon and name to disguise itself using an icon of one of the popular apps such as Google Play, Youtube, Google, or Botim (a VOIP calling app). Then, the next time the victim will open the spyware, the malware will also launch the real app whose disguise it wears to avoid raising suspicion.

“To avoid falling prey to such malicious apps, users should only install apps from trusted sources such as Google Play. Updating Android OS and applications should be done via Android Settings and Google Play respectively, instead of relying on a third-party app.” concludes the analysis. “Users should be particularly wary of apps asking for sensitive permissions such as device admin, notification access, or those requiring superuser/root access. Users can view the apps currently having device admin and notification access permissions by browsing to Settings and searching for “Device admin apps” and “Notification access” respectively.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Cyclone)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Yale New Haven Health (YNHHS) data breach impacted 5.5 million patients

Yale New Haven Health (YNHHS) announced that threat actors stole the personal data of 5.5…

13 hours ago

Crooks exploit the death of Pope Francis

Crooks exploit the death of Pope Francis, using public curiosity and emotion to launch scams…

18 hours ago

WhatsApp introduces Advanced Chat Privacy to protect sensitive communications

WhatsApp adds Advanced Chat Privacy feature that allows users to block others from sharing chat…

20 hours ago

Android spyware hidden in mapping software targets Russian soldiers<gwmw style="display:none;"></gwmw>

A new Android spyware was discovered in a fake Alpine Quest app, reportedly used by…

1 day ago

Crypto mining campaign targets Docker environments with new evasion technique

New malware campaign targets Docker environments using unknown methods to secretly mine cryptocurrency, researchers warn.…

1 day ago

The popular xrpl.js Ripple cryptocurrency library was compromised in a supply chain attack

The xrpl.js Ripple cryptocurrency library was compromised in a supply chain attack aimed at stealing…

2 days ago