Threat actors target the Middle East with advanced Android Spyware

The new variants of Android malware linked with a known APT group

App masked as the generic updater is the spywareAndroid spyware sent around to Middle East users for sruveilance

Reports about the Middle Eastern APT group and the new Android spyware surfaced. These threat actors launched the drop of evolved malware that has capabilities allowing it to be stealthier and more persistent.[1] The infection manages to stay under the radar by posing as common application updates.[2] The surveillance in the background is maintained while the real apps like Google Play, Youtube, Chrome get launched on the screen.

Sophos researchers reported the malware attacks and stated that new features got included in the malicious apps, so users are not taking any actions of removal due to the lack of suspicion.[3]

The new variants appear in the form of an app that purports to install updates on the target’s phone, with names that include App Updates, System Apps Updates, or Android Update Intelligence.

It is believed that the spyware appears as the app update program with a generic icon to avoid notice and removal. It is distributed via download links in text messages sent to potential victims. Running the app triggers the form with a permission request that allows control of different parts of the mobile phone.

Attackers use social engineering to convince people that this is the necessary step for the proper system updates. Once the permission is granted, the spyware collects various details in the background. The legitimate application disguise allows the malware to launch a real program on the screen while the data is collected.

The known APT group from the Middle East

This new evolved mobile malware is linked to the APT C-23 group that has been around for a while, and attackers are known for targeting particularly Middle Eastern users, specifically Palestinians.[4] Evading detection and avoiding malware removal are the main goals and the new additions to the malware developed recently.

The hacker group known by the names like Desert Scorpion, FrozenCell, GnatSpy are focused on mobile malware and surveillance functionality that allows to vacuum files, images, contacts, call logs, read notifications, messaging apps, record calls via different programs and keep the user from seeing the notifications from other Android applications.

The group uses social engineering methods and lures victims into allowing the needed control on the infected machine so that spying can begin. This APT group has been active in the Middle East since at least 2017, so these new variants share some specifications with other threat samples related to this group. The research revealed some Arabic language in the string of the malware code, meaning that depending on the language settings on the affected device, the text appears in either English or Arabic language.

9 million Android phones received malware recently

The report and analysis on the latest campaign also listed the ways to avoid getting the spyware on the machine. Users should never install applications from sources that are not trustworthy or official. Updating applications from random sites or trusting the pop-ups on the screen can cause major issues. Google Play and other legitimate sources should be the ones where the Android users get upgrades and programs in general.

However, sometimes even legitimate sources can deliver the infection and malicious apps. It was recently revealed that 9.3 million Android devices got infected when apps got downloaded from Huawei AppGallery.[5] New class of malicious pieces got disguised as arcade, shooter, strategy games in the marketplace. Eventually, these programs end up stealing device information and mobile phone numbers.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions