Shared code and tell-tale Arabic text strings helped to ease the detective work.

An advanced persistent threat group active in the Middle East, APT C-23, has been linked to newly detected variants of Android spyware that are more stealthy and persistent.

The spyware presents itself as an update app through text messages containing a download link with a generic icon and name, such as “App Updates”. The first time a target runs the spyware app, it asks for permissions to control various aspects of the phone, using social engineering techniques to convince the target that the permissions are essential for the app to function.

After the target has granted the necessary rights, the spyware then disguises itself using the name and icon of a legitimate app. This makes it harder for the phone user to find and manually remove the spyware.

Updated for evasion, persistence

Previous versions of the spyware relied on a single command-and-control domain that was hardcoded in the app and operated by the attackers. If a defender found and took down the domain, the spyware was disabled. The current variants can switch to a different command-and-control server domain as needed.

Nefarious features from previous versions of the spyware remain unchanged, such as: collecting text from SMS or other apps, contacts, call logs, images, and documents; recording ambient audio and incoming and outgoing calls (including WhatsApp calls); taking pictures and screenshots using a phone’s camera and recording videos of the screen; reading notifications from social media and messaging apps; and canceling notifications from built-in security apps and Android system apps. The spyware can also supress its own notifications.

The new variants use more, and more varied, disguises than previous versions, hiding behind popular app icons such as Chrome or YouTube, or the BOTIM voice-over-IP service. If targets click the icon of a fraudulent app, the spyware launches the legitimate version of the app, while maintaining surveillance in the background. 

Sophos researchers tracked the provenance of the new variants through the discovery of shared code common in malware samples attributed to APT C-23. They also found Arabic language strings in the code and observed that some of the text could be presented in either English or Arabic, depending on the language setting of a victim’s phone.

According to Pankaj Kohli, a threat researcher at Sophos: “The Android spyware linked to APT C-23 has been around for at least four years, and attackers continue to develop it with new techniques that evade detection and removal. The attackers also use social engineering to lure victims into granting the permissions needed to see into every corner of their digital life. Fortunately, there are practical steps that people can take to protect against spyware and many of them are worth applying even if users don’t believe they’re a target for surveillance.”