ESET researchers uncover a new version of Android spyware used by the APT-C-23 threat group against targets in the Middle East
We have discovered a previously unreported version of Android spyware used by APT-C-23, a threat group also known as Two-tailed Scorpion and mainly targeting the Middle East. ESET products detect the malware as Android/SpyC23.A.
The APT-C-23 group is known to have used both Windows and Android components in its operations, with the Android components first described in 2017. In the same year, multiple analyses of APT-C-23’s mobile malware were published.
Compared to the versions documented in 2017, Android/SpyC23.A has extended spying functionality, including reading notifications from messaging apps, call recording and screen recording, and new stealth features, such as dismissing notifications from built-in Android security apps. One of the ways the spyware is distributed is via a fake Android app store, using well-known apps as a lure.
The group’s activities were first described by Qihoo 360 Technology in March 2017 under the name Two-tailed Scorpion. In the same year, Palo Alto Networks, Lookout and Trend Micro described other versions of the mobile malware, naming them VAMP, FrozenCell and GnatSpy, respectively. Lookout published an analysis of another version of the malware, named Desert Scorpion, in April 2018, and at the beginning of 2020, Check Point Research reported new mobile malware attacks attributed to the APT-C-23 group.
In April 2020, @malwrhunterteam tweeted about a new Android malware sample. According to the VirusTotal service, no security vendor besides ESET detected the sample at the time. In cooperation with @malwrhunterteam, we recognized the malware to be part of the APT-C-23 arsenal.
Figure 1. VirusTotal detection rate for one of the newly discovered samples
In June, 2020, @malwrhunterteam tweeted about another little-detected Android malware sample, which turned out to be connected to the sample from April. A deeper analysis showed that both the April and June discoveries were both variants of the same new Android malware used by the APT-C-23 group.
Figure 2 shows the timeline of these events.
Figure 2. Timeline of previously documented APT-C-23 mobile malware and ESET’s 2020 investigation
Thanks to information from @malwrhunterteam, we identified a fake Android app store used to distribute the malware. At the time of analysis, the “DigitalApps” store, pictured in Figure 3, contained both malicious and clean items. The non-malicious items would redirect users to another unofficial Android app store, serving legitimate apps. The malware was hidden in apps posing as AndroidUpdate, Threema and Telegram. The latter two of these lures also downloaded the impersonated apps with full functionality along with the malware. This mechanism is described in detail in the Functionality section.
Figure 3. The fake app store serving APT-C-23 spyware
Interestingly, the downloads were limited by needing to enter a six-digit coupon code, as seen in Figure 4. This may be a way to prevent those not targeted by the group from installing the malware, and hence keep a lower profile. Although we didn’t have a coupon code, downloading the app wasn’t such a problem – all that was needed was to append “/download” to the URL.
Figure 4. The fake app store requiring a coupon code for downloading malware
This fake app store is likely just one of the distribution methods used by the threat group. Our telemetry from 2020 showed samples impersonating apps that were not a part of this fake app store.
According to ESET telemetry and VirusTotal data, Android/SpyC23.A has been in the wild since May 2019.
In June 2020, ESET systems blocked this spyware on client devices in Israel. The detected malware samples were disguised as the messaging app “WeMessage”, shown in Figure 5.
While there is a legitimate messaging app called weMessage on Google Play, as seen in Figure 6, the malicious app uses entirely different graphics and doesn’t seem to impersonate the legitimate app other than by appropriating its name. In our research, we haven’t found another app using the same or similar interface as the malicious WeMessage app, so it’s possible that the attackers created custom graphics.
We don’t know how this particular version of the spyware was distributed – the malicious WeMessage app wasn’t offered in the aforementioned fake app store.
Figure 5. Graphics used by the malicious WeMessage app
Figure 6. The legitimate weMessage app on Google Play
Based on our research, the malware mainly impersonates messaging apps. The attackers might have chosen this guise to justify the various permissions requested by the malware.
Before installation, Android/SpyC23.A requests a number of invasive permissions, including taking pictures and videos, recording audio, reading and modifying contacts, and reading and sending SMS.
After installation, the malware requests a series of additional, sensitive permissions, using social engineering-like techniques to fool technically inexperienced users. These additional permission requests are disguised as security and privacy features:
These steps are shown in the video below.
After the malware is initialized, in most cases, victims are requested to manually install the legitimate app used as a lure (e.g. Threema), which is stored in the malware’s resources. While the legitimate app is being installed, the malware hides its presence on the affected device. This way, the victims end up with a functioning app they intended to download and spyware silently running in the background. In some cases (e.g. WeMessage, AndroidUpdate) the downloaded apps did not have any real functionality, and only served as bait for installing the spyware.
When first launched, the malware starts to communicate with its Command and Control (C&C) server. It registers the new victim and sends the victim’s device information to the C&C.
Based on the commands received, Android/SpyC23.A can perform the following actions:
The following features are new in Android/SpyC23.A compared to the previously documented versions:
Besides spying capabilities, the malware’s C&C communication has also undergone an update. In older versions, the C&C in use was hardcoded and either available in plain text or trivially obfuscated, and thus easier to identify. In the updated version, the C&C is well hidden using various techniques and can be remotely changed by the attacker.
In this section, we will describe how Android/SpyC23.A retrieves its C&C server.
The malware uses a native library with three functions. Two of them return opening and closing HTML tags for the title and the third one returns an encrypted string.
Figure 7. Returned strings from the native library
The encrypted string serves two purposes: the first part – before the hyphen (“-”) – is used as part of the password to encrypt files extracted from the affected device. The second part is first decoded (base64) and then decrypted (AES). The decrypted string might, for example, suggest a Facebook profile page for the C&C, but it is still obfuscated.
Figure 8. Decrypted but still obfuscated URL
Some of the substrings in this string are replaced based on a simple substitution table and then the domain part of the apparent URL is replaced.
Figure 9. Decrypted and deobfuscated URL
From this URL, the malware parses the HTML for its title tag.
Figure 10. Parsing website title to retrieve the C&C server
The last step is to replace the first space with a dash and the second one with a dot. With that, obtaining the C&C is done. Such a process allows the malware operators to change their C&C server dynamically.
Figure 11. C&C communication
The malware’s live C&C servers typically pose as websites under maintenance, all using the same logo, shown in Figure 12.
Figure 12. The malware’s C&C server
Our research shows that the APT-C-23 group is still active, enhancing its mobile toolset and running new operations. Android/SpyC23.A – the group’s newest spyware version – features several improvements making it more dangerous to victims.
To prevent falling victim to spyware, we advise Android users to only install apps from the official Google Play Store. In cases where privacy concerns, access issues or other restrictions prevent users from following this advice, users should take extra care when downloading apps from unofficial sources. We recommend scrutinizing the app’s developer, double-checking the permissions requested, and using a trustworthy and up-to-date mobile security solution.
For any inquiries, contact us at firstname.lastname@example.org.
This table was built using version 7 of the ATT&CK framework.