Fake Telegram and Threema Android apps help to spy on users

Hacker group known for the attacks in the Middle East use fake apps to spread new Android spyware

Fake Android Store lets you download spyware.

A group of hackers, known at least since 2017, recently started using fake messaging apps to infect Android devices with new malware that can secretly record phone calls. They created a fake Android app store called “DigitalApps” and using it to spread previously undocumented infection through such impersonated apps as Telegram, Threema, and weMessage.

Cybersecurity firm ESET started investigating and finally has discovered this new Android spyware after their fellow researcher tweeted^[1] about an unknown Android malware sample in April 2020. One of the ESET researchers explained:^[2]

Compared to the versions documented in 2017, Android/SpyC23.A has extended spying functionality, including reading notifications from messaging apps, call recording and screen recording, and new stealth features, such as dismissing notifications from built-in Android security apps. One of the ways the spyware is distributed is via a fake Android app store, using well-known apps as a lure.

APT-C-23 activity started 3 years ago and new variants get discovered every year

These newly discovered Android spyware creators have different names: APT-C-23,^[3] Two-tailed Scorpion, and Desert Scorpion. This group is mainly targeting users from the Middle East. The APT-C-23 likes to use Windows and Android components to accomplish the particular attack goals. These cybercriminals were firstly detailed by Quihoo 360 in 2017. Then their malware had the ability to spy on the victim's device, exfiltrate contacts, call logs, messages, location details, photos, files, and more.

Another version of APT-C-23-created malware was found in 2018 by Symantec.^[4] Cybercriminals used malicious media player to obtain information from the victim's device. Moreover, this malware tried to trick users into installing other malware furthermore.

Also, in February of this year, the Check Point Research team reported another APT-C-23 group activity.^[5] The threat was named as Hamas Android malware. Its operators tried to pose as teenage girls on Instagram, Facebook, and Telegram to lure soldiers from Israel into downloading malware-infected applications on their devices.

The malware is capable of spying your Android device and even stealing files

Now, the ESET cybersecurity team discovered a new Android malware created by APT-C-23/ Two-tailed Scorpion. When the ESET team analyzed the fake Android app store, they discovered that it contained not only malicious but also clean apps too. The newest spyware version named as Android/SpyC23.A was hiding malicious features posing as Threema, Telegram, AndroidUpdate, and weMessage applications.

After the download, spyware requests permissions and the victim accepts them because requests are disguised ar privacy and security features. The ESET cybersecurity researcher Lukas Stefanko said^[6] that the malware request is really tricky. For example, it masks the permission to read notifications as a message encrypting feature.

After permissions are granted, the Android virus^[7] can start different types of espionage activities based on commands from its C&C server. This malware can act like a very powerful spying tool. It is capable of:

• making screen and call recordings;
• exfiltrating call logs, contacts, and SMS;
• recording audio;
• reading notifications from messaging applications;
• stealing files;
• dismissing notifications from some security apps.

The ESET team recommends installing applications only from the official Google Play Store if users want to avoid this and other threats. Also, users should always remember to double-check what permissions the downloaded app is requiring and use the newest version of powerful mobile anti-malware software. This malware is not the only one on the internet, so users should be extra careful when surfing the internet and especially when downloading apps from suspicious, unofficial stores.