APT-C-23 is a hacking group which is also called ‘Two-tailed scorpion.’ It mainly targets the Middle Eastern organizations, and they have been quite active since 2017 when their malicious activities were first discovered by Qihoo 360 Technology. In the same year, a few months apart, Palo Alto Networks found another version of their mobile malware and named them VAMP. Later, Trend Micro and Lookout also discovered some of their mobile malware variants and named them GnatSpy and FrozenCell.
In 2018, Lookout published an analytical report on one of their malware variants which they had named ‘Desert Scorpion.’ The group again became wildly active in 2019, and in early 2020, the Check Point researchers published a report about some malware attacks on mobiles, and they all were found to be connected to the APT-C-23 group.
In April, the Malware Hunter Team discovered a sample of Android malware, and later in June, the team tweeted about another Android malware variant, and it was found out to be a part of the sample they had detected in April. ESET’s security teams dug deeper and found out that both these samples were actually parts or variants of a totally new Android mobile malware which is being used by the APT-C-23 group and has been named as Android/Spy C23. It was also revealed that this group uses both Windows and Android components for their malicious activities.
According to the security researchers and specialists, this group is distributing this malware through a fake Android application store, called as ‘DigitialApps.’ This app store contains both non-malicious and malicious contents, and it was discovered that this group hid the spyware amongst these apps as a separate ‘Android Update’ feature which looked to be a part of the mobile system.
To lure the customers, the company used apps like Threema and Telegram to hide their spying software. However, to remain low-profile and undetected by security for a long time, they devised an interesting system. If someone wanted to download an app from DigitialApps, they had to enter a six-digited code from their coupon. This way, a huge influx of customers was prevented from downloading the apps, which probably means that this group was trying to target some specific people or organizations. However, the ESET researchers found a way to download the spyware through some other means that are probably being used by the hackers already too.
After installation, the researchers found that this spyware can activate the camera of the users without them knowing, record their audios, restart the WiFi, exfiltrate SMS messages, Phone Contacts, and Call Logs. Through this spyware, the hackers can download and delete files in the victim’s mobile, and they can steal files with pdf, doc, Docx, ppt, Xls, txt, jpeg, jpg, png extensions. And all this while, they can keep their spyware completely hidden.
ESET also explained that the dangerous malware can “record incoming and outgoing calls in WhatsApp”, plus, it can “read text of notifications from selected messaging and social media apps, including WhatsApp, Facebook, Telegram, Instagram, Skype, Messenger, Viber and IMO.
So, as a precaution, the ESET researchers strongly advise users to install apps from official app stores only, and they should pay close attention to the developer’s information and data permissions before installing any of their apps.
Read next: More than half of consumers aren’t concerned with the security of payment apps (Survey)