“Android APT Spyware, Targeting Middle East Victims, Improves Evasiveness,” according to Sophos, describes new Android spyware variants linked to C-23, an advanced persistent threat (APT) adversary operating in the Middle East since 2017. The stealth and persistence of the new variations have been improved.
“Spyware is a growing threat in an increasingly connected world,” said Pankaj Kohli, a threat researcher at Sophos.
He added, “The Android spyware linked to APT C-23 has been around for at least four years, and attackers continue to develop it with new techniques that evade detection and removal. The attackers also use social engineering to lure victims into granting the permissions needed to see into every corner of their digital life. Fortunately, there are practical steps that people can take to protect against spyware and many of them are worth applying even if users don’t believe they’re a target for surveillance.”
The spyware appears as an update application with a generic symbol and name, such as “App Updates.” According to Sophos experts, the spyware app is distributed by sending a download link in the form of a text message to the target’s phone. When a victim runs the spyware program for the first time, it requests permission to manipulate several parts of the phone. The attackers utilize social engineering to persuade the target that these permissions are required for the program to work. After the target has acquired the required permissions, the spyware hides behind the name and icon of a real app. This makes it more difficult for the phone’s owner to locate and remove spyware manually.
The new variants hide behind more and more diversified disguises than prior versions, including Chrome, Google Play, YouTube, and the BOTIM voice-over-IP service. If a fraudulent icon is clicked, the spyware opens the legitimate version of the software while monitoring the victim.
Previous versions of the malware relied on a single command-and-control domain that was hardcoded into the software and managed by the criminals. The spyware was disabled if a defence discovered and pulled down the domain. According to Sophos researchers, the attackers may have attempted to address this possible flaw in the latest variations, which can transfer the command-and-control server to a different domain. This permits the spyware to keep running even if the domain is taken down.
Other malware samples linked to APT C-23 share code with the new variants. Researchers from Sophos discovered Arabic language strings in the code and the fact that portions of the material could be rendered in either English or Arabic depending on the language settings of the victi’’s phone.
Collection of text from SMS or other apps, contacts, call logs, images, and documents; recording ambient audio and incoming and outgoing calls, including WhatsApp calls; taking pictures and screen shots with a phone’s camera and recording videos of the screen; reading notifications from social media and messaging apps; and canceling notifications from built-in security apps, as well as from a third-party app. The spyware can also turn off its own alerts.
Anyone concerned about spyware or potentially unwanted applications (PUAs) should take the following steps, according to Sophos:
• Apps requesting sensitive rights, such as device admin or notification access, or those demanding superuser/root access, should be avoided. By going to “Settings” and searching for “device admin apps” and “notification access,” users may see which apps have device admin and notification access permissions.
• The unexpected disappearance of an app icon after it has been run for the first time is generally a sign of a harmful or unwelcome application.
• Users who have been infected with this family of malware can manually uninstall the apps by going to the list of installed programs, selecting “Settings->Apps,” and then scrolling to find the app’s original name (such as “App Updates,” “System Apps Updates,” or “Android Update Intelligence”).
• Many other types of mobile malware, on the other hand, hide themselves in the list of installed apps.
Users will require the assistance of an anti-malware solution to eliminate these.
• Users should also install a mobile security solution, such as Intercept X for Mobile, to detect spyware and malware automatically, according to Sophos.
• Users should only install mobile apps from trusted sources, such as Google Play, to prevent falling prey to fraudulent programmes. Instead than relying on third parties, update Android OS and other apps through Android Settings and Google Play.
