APT C-23 group targets Middle East with an enhanced Android spyware variant

A threat actor, tracked as APT C-23, is using new powerful Android spyware in attacks aimed at targets in the Middle East.

The APT C-23 cyberespionage group (also known as GnatSpy, FrozenCell, or VAMP) continues to target entities in the Middle East with enhanced Android spyware masqueraded as seemingly harmless app updates (i.e. AndroidUpdate,, Telegram). The spyware is delivered to specific users via SMS text messages containing download links.

Experts from Sophos reported that recently discovered variants of Android spyware implement new features to avoid being removed by the users and to security firms that attempt to dismantle C2 infrastructure.

APT-C-23 group is using Android spyware since at least 2017, most of the targets were in the Palestinian Territories

“The new variants appear in the form of an app that purports to install updates on the target’s phone, with names that include App Updates, System Apps Updates, or Android Update Intelligence. Sophos suspects that the apps are delivered to specific users by means of SMS text messages linking to downloads.” reads the analysis published by Sophos.

None of the apps analyzed by the researchers have been hosted on the official Google Play Store.

Across the years the APT-C-23 threat group has implemented additional spying capabilities, below is the list of functionalities currently implemented:

• Collects SMS, contacts, call logs
• Collects images and documents
• Recording audio, incoming and outgoing calls, including WhatsApp calls
• Taking screenshots and recording video of the screen
• Taking pictures using the camera
• Hiding its own icon
• Reading notifications from WhatsApp, Facebook, Facebook Messenger, Telegram, Skype, IMO Messenger, or Signal
• Canceling notifications from built-in security apps (such as Samsung SecurityLogAgent, Xiaomi MIUI SecurityCenter, Huawei SystemManager), as well as from Android system apps, package Installer, and its own notifications

Upon opening the app, it requests that the user grant the app permissions to perform surveillance actions such as to access to the microphone to record audio and all files stored on the device.

The malicious apps use social engineering to ask the user to grant advanced permissions. They justify the need for the additional features with fake argumentation, for instance, the request to “Enable Notifications” claims that the app needs this functionality or else “you won’t receive notifications in real time.”

The app asks the user to Enable the device admin permission or “system won’t secure your internet connection.”

Once the app has obtained all the permissions, it changes its icon and name to disguise itself using an icon of one of the popular apps such as Google Play, Youtube, Google, or Botim (a VOIP calling app). Then, the next time the victim will open the spyware, the malware will also launch the real app whose disguise it wears to avoid raising suspicion.

“To avoid falling prey to such malicious apps, users should only install apps from trusted sources such as Google Play. Updating Android OS and applications should be done via Android Settings and Google Play respectively, instead of relying on a third-party app.” concludes the analysis. “Users should be particularly wary of apps asking for sensitive permissions such as device admin, notification access, or those requiring superuser/root access. Users can view the apps currently having device admin and notification access permissions by browsing to Settings and searching for “Device admin apps” and “Notification access” respectively.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Cyclone)

[adrotate banner=”5″]

[adrotate banner=”13″]