Cyber Daily Report

News

Home News

Android Spyware Variant Snoops on WhatsApp, Telegram Messages

  • Lindsey O'Donnell--Threatpost
  • published date: 2020-09-30 19:14:42 UTC

The Android malware comes from threat group APT-C-23, also known as Two-Tailed Scorpion and Desert Scorpion.

<div class="c-article__content js-reading-content"> <p>Researchers say they have uncovered a new Android spyware variant with an updated command-and-control communication strategy and extended surveillance capabilities that snoops on social media apps WhatsApp and Telegram.</p> <p>The malware, Android/SpyC32.A, is currently being used in active campaigns targeting victims in the Middle East. It is a new variant of an existing malware operated by threat group APT-C-23 (also known as Two-Tailed Scorpion and Desert Scorpion). APT-C-23 is known to utilize both Windows and Android components, <a href="https://threatpost.com/google-play-boots-three-malicious-apps-from-marketplace-tied-to-apts/131214/" target="_blank" rel="noopener noreferrer">and has previously targeted victims</a> in the Middle East with apps in order to compromise Android smartphones.</p> <p>“Our research shows that the APT-C-23 group is still active, enhancing its mobile toolset and running new operations,” according to researchers with ESET <a href="https://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" target="_blank" rel="noopener noreferrer">in a report released Wednesday</a>. “Android/SpyC32.A – the group’s newest spyware version – features several improvements making it more dangerous to victims.”</p> <p><a href="https://threatpost.com/newsletter-sign/"><img class="aligncenter wp-image-141989 size-full" src="https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg" alt="" width="700" height="50"></a></p> <p>APT-C-23’s activities – including its mobile malware – were first described in 2017 by several security research teams. Meanwhile, the updated version, Android/SpyC23.A, has been in the wild since May 2019 and was first detected by researchers in June 2020.</p> <p>The detected malware samples were disguised as a legitimate messaging app offered through Google Play. The app, called WeMessage, is malicious, researchers said, and uses entirely different graphics and doesn’t seem to impersonate the legitimate app other than by name. Researchers said, this malicious app does not have any real functionality, and only served as bait for installing the spyware.</p> <p>Researchers also said they don’t know how this fake WeMessage app was distributed. Previous versions of the malware were distributed in apps via a fake Android app store, called the “DigitalApps” store. The fake app store distributed both legitimate apps as well as fake apps posing as AndroidUpdate, Threema and Telegram. However, researchers said that the fake WeMessage app was not on the “DigitalApps” store.</p> <h2><strong>New Updates</strong></h2> <p>Previously documented versions of this spyware have various capabilities, including the ability to take pictures, record audio, exfiltrate call logs, SMS messages and contacts and more. They would do so by requesting a number of invasive permissions, using social engineering-like techniques to fool technically inexperienced users.</p> <div id="attachment_159699" style="width: 213px" class="wp-caption alignleft"><a href="https://media.threatpost.com/wp-content/uploads/sites/103/2020/09/30143059/Figure-6.-The-legitimate-weMessage-app-on-Google-Play-1.png"><img aria-describedby="caption-attachment-159699" class="size-full wp-image-159699" src="https://media.threatpost.com/wp-content/uploads/sites/103/2020/09/30143059/Figure-6.-The-legitimate-weMessage-app-on-Google-Play-1.png" alt="APT-C-23 mobile malware " width="203" height="240"></a><p id="caption-attachment-159699" class="wp-caption-text">Legitimate WeMessage app. Credit: ESET</p></div> <p>This latest version has extended surveillance capabilities, specifically targeting information collected from social media and messaging apps. The spyware can now record victims’ screens and take screenshots, record incoming and outgoing calls in WhatsApp and read text of notifications from social media apps, including WhatsApp, Facebook, Skype and Messenger.</p> <p>The malware also leverages a tactic where it creates a blank screen overlay to put on the Android screen while it makes calls, which helps it hide its call activity. In another technique to hide its activity the malware can dismiss its own notifications. Researchers say this is an unusual feature, possibly used in case of errors or warnings displayed by the malware.</p> <p>Finally, the new version of the malware can dismiss notifications from built-security security apps for Android devices (allowing it to hide security warnings of suspicious activity from the victim), including Samsung notifications, SecurityLogAgent notifications on Samsung devices, MIUI Security notifications on Xiaomi devices and Phone Manager on Huawei devices.</p> <p>The malware’s C2 communications have also received a facelift. In older versions, the malware used hardcoded C2, either available in plain text or trivially obfuscated – meaning it was easier to identify. In the updated version, however, the C2 is well hidden using various techniques and can be remotely changed by the attacker, making detection much more difficult, researchers said.</p> <h2><strong>Other APT-C-23 Sightings</strong></h2> <p>It’s not the first analysis of APT-C-23 this year. At the beginning of 2020, Check Point Research <a href="https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/" target="_blank" rel="noopener noreferrer">reported</a> new mobile malware attacks attributed to the APT-C-23 group. In April 2020, meanwhile, @malwrhunterteam <a href="https://twitter.com/malwrhunterteam/status/1250735356015714305" target="_blank" rel="noopener noreferrer">tweeted</a> about a new Android malware variant, which researchers – in cooperation with @malwrhunterteam – recognized to be part of the APT-C-23 operations. Then in June 2020, @malwrhunterteam <a href="https://twitter.com/malwrhunterteam/status/1270715368139452416" target="_blank" rel="noopener noreferrer">tweeted</a> about another Android malware sample, which was connected to the sample from April.</p> <div id="attachment_159697" style="width: 310px" class="wp-caption alignleft"><a href="https://media.threatpost.com/wp-content/uploads/sites/103/2020/09/30142843/Figure-2.-Timeline-of-previously-documented-APT-C-23-mobile-malware-and-ESET%E2%80%99s-2020-investigation.png"><img aria-describedby="caption-attachment-159697" class="size-medium wp-image-159697" src="https://media.threatpost.com/wp-content/uploads/sites/103/2020/09/30142843/Figure-2.-Timeline-of-previously-documented-APT-C-23-mobile-malware-and-ESET%E2%80%99s-2020-investigation-300x79.png" alt="APT-C-23 mobile malware" width="300" height="79"></a><p id="caption-attachment-159697" class="wp-caption-text">APT-C-23 malware timeline. Credit: ESET</p></div> <p>To avoid falling victim to spyware, researchers advised Android users to only install apps from the official Google Play app store and to scrutinize apps’ permissions.</p> <p>“In cases where privacy concerns, access issues or other restrictions prevent users from following this advice, users should take extra care when downloading apps from unofficial sources,” said researchers. “We recommend scrutinizing the app’s developer, double-checking the permissions requested, and using a trustworthy and up-to-date mobile security solution.”</p> <div><strong><a href="https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&amp;utm_medium=ART&amp;utm_campaign=oct_webinar" target="_blank" rel="noopener noreferrer" data-saferedirecturl="https://www.google.com/url?q=https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source%3DART%26utm_medium%3DART%26utm_campaign%3Doct_webinar&amp;source=gmail&amp;ust=1601574682489000&amp;usg=AFQjCNGTvj-lYdqwtRo6RxN2RmBLXvoGIw">On October 14 at 2 PM ET</a> Get the latest information on the rising threats to retail e-commerce security and how to stop them. <a href="https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&amp;utm_medium=ART&amp;utm_campaign=oct_webinar" target="_blank" rel="noopener noreferrer" data-saferedirecturl="https://www.google.com/url?q=https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source%3DART%26utm_medium%3DART%26utm_campaign%3Doct_webinar&amp;source=gmail&amp;ust=1601574682489000&amp;usg=AFQjCNGTvj-lYdqwtRo6RxN2RmBLXvoGIw">Register today</a> for this FREE Threatpost webinar, “<a href="https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&amp;utm_medium=ART&amp;utm_campaign=oct_webinar" target="_blank" rel="noopener noreferrer" data-saferedirecturl="https://www.google.com/url?q=https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source%3DART%26utm_medium%3DART%26utm_campaign%3Doct_webinar&amp;source=gmail&amp;ust=1601574682489000&amp;usg=AFQjCNGTvj-lYdqwtRo6RxN2RmBLXvoGIw">Retail Security: Magecart and the Rise of e-Commerce Threats.</a>” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this <a href="https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&amp;utm_medium=ART&amp;utm_campaign=oct_webinar" target="_blank" rel="noopener noreferrer" data-saferedirecturl="https://www.google.com/url?q=https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source%3DART%26utm_medium%3DART%26utm_campaign%3Doct_webinar&amp;source=gmail&amp;ust=1601574682489000&amp;usg=AFQjCNGTvj-lYdqwtRo6RxN2RmBLXvoGIw">LIVE </a>webinar. </strong></div> <footer class="c-article__footer"> <div class="c-article__footer__container"> <div class="c-article__footer__col"> <a href="#discussion" class="c-button c-button--secondary">Write a comment</a> </div> <div class="c-article__footer__col"> <div class="c-article__sharing"> <p><strong>Share this article:</strong></p> <nav class="c-nav-sharing"> <div class="social-likes social-likes_notext" data-title="Android Spyware Variant Snoops on WhatsApp, Telegram Messages" data-url="https://threatpost.com/new-android-spyware-whatsapp-telegram/159694/" data-counters="yes" data-zeroes="yes"><div class="facebook" title="Share via Facebook"></div> <div class="twitter" title="Share via Twitter"></div><div class="linkedin" title="Share via LinkedIn"></div> <div class="reddit" title="Share via Reddit"></div> <div class="flipboard" title="Share via Flipboard"></div> </div> </nav> </div> </div> </div> <div class="c-article__footer__container"> <div class="c-article__footer__col"></div> <div class="c-article__footer__col"> <ul class="c-list-categories"> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/malware-2/">Malware</a></li> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/mobile-security/">Mobile Security</a></li> </ul> </div> </div> </footer> </div>

Most Popular

MixMode Raises $45 Million in Series B Funding Round Led by PSG to Automate Cyberattack Detection

  • None -- Security Boulevard
  • Published date: 2022-03-23 14:16:00 UTC

Ukraine War Alters Security Landscape for Orgs, ERM Leaders

  • None -- Security Boulevard
  • Published date: 2022-03-23 12:46:00 UTC

IoT is magic for building automation systems. But what about security?

  • Shaun Cooley -- Securitymagazine.com
  • Published date: 2022-03-23 04:00:00 UTC

A Closer Look at the LAPSUS$ Data Extortion Group

  • None -- securityboulevard.com
  • Published date: 2022-03-23 00:00:00 UTC

What is CWPP? (Cloud Workload Protection Platform)

  • None -- securityboulevard.com
  • Published date: 2022-03-23 00:00:00 UTC