A new mobile malware family, dubbed GnatSpy, that may be a much more dangerous variant of the earlier VAMP malware, has been reported in the wild.
Trend Micro believes the threat group APT-C-23, which was behind VAMP, has been developing GnatSpy with components and capabilities that are very similar to VAMP, but with several improvements added.
“The structure of the new GnatSpy variants is very different from previous variants. More receivers and services have been added, making this malware more capable and modular. We believe this indicates that GnatSpy was designed by someone with more knowledge in good software design practices compared to previous authors,” Trend Micro wrote in a company blog post.
Other changes include:
- Using more Java annotations and reflection methods in an attempt to evade detection.
- VAMP’s command and control (C&C) server’s URL was listed in simple plain text in the code, but this has been replaced with a function call that is used to obtain the C&C server’s URL.
- APT-C-23 also registered many new C&C domains which are either named after people or TV show characters such as “lagertha-lothbrok.”
- Upgrading the version of Apache used to 2.4.18
Not only has the malware been improved, but the malicious actors are pulling more information from the infected device, such as, battery, memory and storage usage, and SIM card status. This is in addition to the images, text messages, contacts and call history that VAMP would remove.
The effort put in by APT-C-23 proves that resilience and dedication are ideals that are found not only within law-abiding groups.
“Threat actors can be remarkably persistent even if their activities have been exposed and documented by researchers. This appears to be the case here. The threat actors behind GnatSpy are not only continuing their illicit activities, but they are also improving the technical capabilities of their malware,” Trend Micro concluded.