Starting from a little-known malware sample, security researchers tracked down a new Android spyware distributed through fake messaging apps like Threema, Telegram, and WeMessage.
The malware is from APT-C-23, a group of advanced hackers running espionage campaigns against military and educational institutions since before July 2015.
An updated version discovered earlier this year shows an impressive set of new features that let the spyware dismiss notifications from security solutions running on Samsung, Xiaomi, and Huawei devices, thus being able to operate silently.
Hiding in fake apps
In April 2020, security researcher MalwareHunterTeam tweeted about a piece of spyware for Android that had a very low detection rate on VirusTotal. Examining the sample, researchers at ESET discovered that it was part of the malware toolkit used by the APT-C-23 threat actor.
About two months later, in, June, MalwareHunterTeam found a new sample of the same malware hidden in the installation file of the Telegram messaging app available from DigitalApps, an unofficial Android store.
Since their security solution was among the few that detected in the wild the new spyware from APT-C-23, ESET started to investigate and discovered that the malware was also concealed in other apps listed in the store.
They found it in Threema, a secure messaging platform, and in AndroidUpdate, an app posing as a system update for the mobile platform.
With Threema and Telegram, the victim would get the full functionality of the apps along with the malware, thus concealing the malicious nature of the fake apps.
Possibly in an attempt to limit the spread of the malware, the attackers added a fake download gate by requiring a six-digit code.
ESET believes that using the DigitalApps store is only one of the distribution methods the threat actor used to infect victims because they found other apps that were not available in the store but contained the same spyware.
“In June 2020, ESET systems blocked this spyware on client devices in Israel. The detected malware samples were disguised as the messaging app ‘WeMessage’” – ESET
However, the graphical interface of the malicious app differed greatly from the original and seems to have been created by the attacker, indicating that it was not impersonating the legitimate product.
Improved set of features
The APT-C-23 is tracked under different names (Big Bang APT, Two-tailed Scorpion) by other cybersecurity companies. The group deploys malware for Windows (KasperAgent, Micropsia) and Android (GnatSpy, Vamp, FrozenCell) platforms [1, 2, 3, 4, 5], attacking targets in the Middle East.
Compared to previous spyware for Android, the latest version from APT-C-23 extends functionality beyond recording audio, stealing call logs/SMS/contacts and specific file types (PDF, DOC, DOCX, PPT, PPTX, XLS, XLSX, TXT, JPG, JPEG, PNG).
ESET observed that the list of features now includes the possibility to silence notifications from security apps integrated with devices from Samsung, Xiaomi, and Huawei, allowing it to stay hidden even if its activity is detected.
Furthermore, it can now read notifications from messaging apps (WhatsApp, Facebook, Telegram, Instagram, Skype, Messenger, Viber), effectively stealing incoming messages.
The spyware can also record the screen (video and picture) as well as incoming and outgoing calls via WhatsApp. It can also make calls covertly, by creating a black screen overlay mimicking an inactive phone.
ESET published a technical report detailing the new capabilities of the improved spyware from APT-C-23, which provides useful indicators of compromise.