A report released Tuesday details how a Middle East-based advanced persistent threat (APT) adversary is targeting Android users with new, stealthy spyware variants, particularly in the Palestinian territories.

The cybersecurity software firm Sophos details how the C-23 threat group’s variants are enhanced for stealth and persistence, and could be effective against victims beyond the current pool within Middle East borders.

The spyware presents itself as an update app with a generic icon and name, such as “App Updates.” Sophos researchers think the attackers send a download link in the form of a text message to the target’s phone and, through social engineering, the target grants the necessary permissions and the spyware disguises itself using the name and icon of a legitimate app, such as Chrome, Google, Google Play, YouTube or the BOTIM voice-over-IP service. The fraudulent icon will launch the legitimate version of the app while maintaining surveillance in the background. 

Sophos researchers believe that the attackers have tried to address a weakness of previous versions that switches the command-and-control server to a different domain, which allows the spyware to continue operating even after a domain takedown. The new variants also share code with other malware samples attributed to C-23, which has been operating since 2017, according to Sophos.

Nefarious features from previous versions of the spyware remain unchanged, such as: 

  • Collecting text from SMS or other apps, contacts, call logs, images, and documents; 
  • Recording ambient audio and incoming and outgoing calls, including WhatsApp calls; 
  • Taking pictures and screenshots using a phone’s camera and recording videos of the screen; 
  • Reading notifications from social media and messaging apps; 
  • Canceling notifications from built-in security apps, as well as from Android system apps. 

The spyware can also suppress its own notifications.

“Spyware is a growing threat in an increasingly connected world,” Sophos threat researcher Pankaj Kohli said in a statement. “The Android spyware linked to APT C-23 has been around for at least four years, and attackers continue to develop it with new techniques that evade detection and removal.”

The attackers also use social engineering to lure victims into granting the permissions needed to see into every corner of their digital life, the researcher added.