New variants of Android spyware linked to C-23, an advanced persistent threat (APT) active in the Middle East have been enhanced for stealth and persistence, according to a new report by Sophos.
According to the report, the spyware presents itself as an update app with a generic icon and name, such as “App Updates.” Sophos researchers believe the attackers distribute the spyware app by sending a download link in the form of a text message to the target’s phone. When the target runs the spyware app, it asks for permissions to control various aspects of the phone. After the target has granted the necessary rights, the spyware then disguises itself using the name and icon of a legitimate app.
New variants
The new variants hide behind popular app icons such as Chrome, Google, Google Play, YouTube, or the BOTIM voice-over-IP service. If targets click a fraudulent icon, the spyware launches the legitimate version of the app, while maintaining surveillance in the background.
The new variants of Android spyware share code with other malware samples attributed to APT C-23. Sophos researchers also found Arabic language strings in the code and observed that some of the text could be presented in either English or Arabic, depending on the language setting of a victim’s phone.
Compromised data
The spyware can collect text from SMS or other apps, contacts, call logs, images, and documents; record ambient audio and incoming and outgoing calls, including WhatsApp calls; take pictures and screen shots using a phone’s camera and recording videos of the screen; read notifications from social media and messaging apps; and cancel notifications from built-in security apps, as well as from Android system apps. The spyware can also suppress its own notifications.
“Spyware is a growing threat in an increasingly connected world,” said Pankaj Kohli, threat researcher at Sophos. “The Android spyware linked to APT C-23 has been around for at least four years, and attackers continue to develop it with new techniques that evade detection and removal. The attackers also use social engineering to lure victims into granting the permissions needed to see into every corner of their digital life. Fortunately, there are practical steps that people can take to protect against spyware and many of them are worth applying even if users don’t believe they’re a target for surveillance.”
For more information visit Sophos’ blog post on the new variants of Android spyware.
The news follows on from another new development, with cybercriminals using ‘droppers for hire’ to compromise systems.
