An actor known for hitting targets in the Middle East has further evolved its Android spyware with enhanced capabilities that allow it to be more stealthy and persistent while masquerading as seemingly harmless app updates for stay under the radar.
The new variants have “incorporated new features into their malicious applications that make them more resistant to actions by users, who might try to remove them manually, and to security and web hosting companies who attempt to block access or tamper with them. shut down their order – and control server domains, “Sophos threat researcher Pankaj Kohli said in a report on Tuesday.
Also known by the nicknames VAMP, FrozenCell, GnatSpy, and Desert Scorpion, mobile spyware has been a tool of choice for the APT-C-23 threat group since at least 2017, with successive iterations featuring extensive monitoring functionality to flush files, pictures, contacts and call logs, read notifications from messaging apps, record calls (including WhatsApp) and dismiss notifications from built-in Android security apps.
In the past, malware has been distributed through bogus Android app stores under the guise of AndroidUpdate, Threema, and Telegram. The latest campaign is no different in that it takes the form of apps that claim to install updates on the target’s phone with names like App Updates, System Apps Updates, and Android Update Intelligence. The attackers are believed to provide the spyware application by sending a download link to targets via smishing messages.
Once installed, the app begins asking for invasive permissions to perform a series of malicious activities designed to evade any attempt at manual malware removal. The app not only changes its icon to hide behind popular apps like Chrome, Google, Google Play, and YouTube, in case the user clicks on the scam icon, the legitimate version of the app is launched, all by performing monitoring tasks in the background.
“Spyware is a growing threat in an increasingly connected world,” Kohli said. “The Android spyware linked to the APT-C-23 has been around for at least four years, and attackers continue to develop it with new techniques that escape detection and removal.”