Threat Intelligence, Endpoint/Device Security, Endpoint/Device Security, Phishing, Endpoint/Device Security, Endpoint/Device Security

Spyware targeting Android users in the Middle East

Attendees visit the Android booth during the Google I/O developers conference at the Moscone Center on May 15, 2013, in San Francisco. (Photo by Justin Sullivan/Getty Images)

A report released Tuesday details how a Middle East-based advanced persistent threat (APT) adversary is targeting Android users with new, stealthy spyware variants, particularly in the Palestinian territories.

The cybersecurity software firm Sophos details how the C-23 threat group’s variants are enhanced for stealth and persistence, and could be effective against victims beyond the current pool within Middle East borders.

The spyware presents itself as an update app with a generic icon and name, such as “App Updates.” Sophos researchers think the attackers send a download link in the form of a text message to the target’s phone and, through social engineering, the target grants the necessary permissions and the spyware disguises itself using the name and icon of a legitimate app, such as Chrome, Google, Google Play, YouTube or the BOTIM voice-over-IP service. The fraudulent icon will launch the legitimate version of the app while maintaining surveillance in the background. 

Sophos researchers believe that the attackers have tried to address a weakness of previous versions that switches the command-and-control server to a different domain, which allows the spyware to continue operating even after a domain takedown. The new variants also share code with other malware samples attributed to C-23, which has been operating since 2017, according to Sophos.

Nefarious features from previous versions of the spyware remain unchanged, such as: 

  • Collecting text from SMS or other apps, contacts, call logs, images, and documents; 
  • Recording ambient audio and incoming and outgoing calls, including WhatsApp calls; 
  • Taking pictures and screenshots using a phone’s camera and recording videos of the screen; 
  • Reading notifications from social media and messaging apps; 
  • Canceling notifications from built-in security apps, as well as from Android system apps. 

The spyware can also suppress its own notifications.

“Spyware is a growing threat in an increasingly connected world,” Sophos threat researcher Pankaj Kohli said in a statement. “The Android spyware linked to APT C-23 has been around for at least four years, and attackers continue to develop it with new techniques that evade detection and removal.”

The attackers also use social engineering to lure victims into granting the permissions needed to see into every corner of their digital life, the researcher added.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.