Cyble-APT-C-23-Spyware-Android-Middle-East-Threat

APT-C-23 Using New Variant Of Android Spyware To Target Users In The Middle East

During our routine threat hunting exercise, Cyble Research Labs came across a Twitter post mentioning a new variant of Android malware used by APT-C-23.

This Advanced Persistent Threat (APT) group was first identified in 2017, where they targeted more than 100 devices from Palestine.

This variant calls itself Google_Play_Installer7080009821206716096 to trick users into thinking it’s an APK related to Google Play.

Cyble Research Labs downloaded the sample and identified that APT-C-23, also known as “the two-tailed scorpion,” targets the Middle East with this version of Android malware. This malware can steal sensitive information like Contact data, SMS data, and files from the infected device.

The delivery mechanisms used by the Threat Actors (TAs) are through phishing or via a fake Android app store; this application has an icon that is similar to the Telegram app.

Once the malware is successfully executed on the affected Android device, it can perform several malicious activities without the user’s knowledge. These activities include taking pictures, recording audio, disabling WiFi, stealing call logs, stealing SMSs, stealing Contact data, and steal files of a wide range of extensions (PDF, doc, docx, ppt, pptx, xls, xlsx, txt, text, jpg, jpeg, png), etc.

The malware can also make calls without the user’s knowledge, delete files from the device, record the victim device’s screen, take screenshots, read the text content, and record incoming and outgoing calls in WhatsApp. Additionally, the malware checks for telecom operating out of the Middle East and specifically targets them.

In 2020, APT-C-23 was also responsible for the attack on Israeli Defense Forces (IDF).

Technical Analysis

APK Metadata Information

  • App Name: Google Play Installer
  • Package Name: org.telegram.light
  • SHA256 Hash: c8d51db4b2171f289de67e412193d78ade58ec7a7de7aa90680c34349faeeee2

Figure 1 shows the metadata information of the application.

Figure 1 Metadata Information

We have outlined the flow of the application and the various activities conducted by it. Refer to Figure 2.

  • The application has a similar icon as Telegram official app.
  • The application asks for Contacts, call logs, and SMS permissions.
  • The application asks users to grant admin rights.
  • The application asks the users to allow access to notifications.
  • The application asks permission to install 3rd party applications.
  • The application shows the Telegram app UI.
Figure 2 Application Start Flow

Upon simulating the application, we observed that it requests users for permissions to access Contacts, Call logs, and SMS data. Refer to Figure 3.

Figure 3 Requests Sensitive Permissions

Figure 4 shows the malware asking users for device admin activation. Once the malware gains admin rights, then it can enhance its features.

Figure 4 Requests for Admin Activation

Figure 5 shows that the malware asks the users to enable notification access for the application. Once the application gains notification access, it can read all notifications on the device, including SMS data.

Figure 5 Asks for Notification Access

Upon receiving notification access, the application prompts users asking for permission to install 3rd party applications. Once it gains this permission, the application will be able to install other applications or update itself. Refer to Figure 6.

Figure 6 Asks for 3rd Party App Installation Permission

Figure 7 shows that after getting the required permissions,  the malware opens a UI that is similar to the official Telegram app.

Figure 7 Similar UI as Telegram App

Manifest Description

Voicemail requests thirty-five different permissions, of which the attackers can abuse eighteen. In this case, the malware can:

  • Read, delete or modify SMSs, call logs, and Contact data.
  • Make calls without user interaction
  • Delete SMS data
  • Kill background processes of other apps
  • Receive and send SMSs
  • Reads current cellular network information, phone number and the serial number of the affected phone, the status of any ongoing calls, and a list of any phone accounts (for example: firmware accounts such as Samsung account) registered on the device.
  • Read, delete or modify the files on the device’s external storage
  • Disable the keylock and any associated password security measures such as biometric verification.

We have listed the dangerous permissions below.

PermissionsDescription
READ_SMSAccess phone messages.
READ_CONTACTSAccess phone contacts.
KILL_BACKGROUND_PROCESSESAllows applications to kill the background processes of other apps.
CALL_PHONEAllows an application to initiate a phone call without going through the Dialer user interface to confirm the call.
RECEIVE_SMSAllows an application to receive SMS messages.
SEND_SMSAllows an application to send SMS messages.
READ_CALL_LOGAccess phone call logs.
READ_PHONE_STATEAllows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.
REORDER_TASKSAllows the app to push tasks to the foreground and background.
WRITE_CONTACTSAllows the app to modify the device’s contacts data.
WRITE_EXTERNAL_STORAGEAllows the app to write or delete files to the external storage of the device.
READ_EXTERNAL_STORAGEAllows the app to read the contents of the device’s external storage.
RECORD_AUDIOAllows the app to record audio with the microphone, which can be misused by the attackers.
PROCESS_OUTGOING_CALLSAllows the app to process outgoing calls and modify the dialling number.
WRITE_CALL_LOGAllows the app to modify the device’s call log.
DISABLE_KEYGUARDAllows the app to disable the keylock and any associated password security.
READ_PROFILEAllows the app to read personal profile information such as name and contact information stored on the device.
SYSTEM_ALERT_WINDOWAllows the app to draw on top of other applications.
Table 1 Permissions’ Description

The below image shows that the malware has defined services that can be used to read notification data on the device. Refer to Figure 8.

Figure 8 Service to Read Notifications

The below image shows that the malware has defined services that can be used for Accessibility services. Refer to Figure 9.

Figure 9 Service Defined for Accessibility

The below image shows that the malware has a defined receiver that can be used to gain system-level device administration access. Refer to Figure 10.

Figure 10 Receiver Defined to Gain Admin Rights

Source Code Description

The below images show that the malware checks for various telecom companies operating in the Middle East. Refer to Figure 11.

Figure 11 Checks for Sim Operator Company

The code given in Figure 12 shows that the malware is capable of reading Contact data.

Figure 12 Reads Contacts Data

The code shown in Figure 13 demonstrates that the malware is capable of reading SMS data.

Figure 13 Reads SMS Data

The code shown in Figure 14 demonstrates that the malware is capable of reading CallLogs data from the device.

Figure 14 Reads Call Logs

The code shown in Figure 15 demonstrates that the malware is capable of calling any number without the user’s knowledge or interaction.

Figure 15 Can Make Calls

The below code shows that the malware is capable of capturing pictures without user interaction. Refer to Figure 16.

Figure 16 Capture Pictures

The code shown in Figure 17 demonstrates that the malware can steal specific files from the device based on the various extensions shown in the below table.

File TypeDescription
.pdfPortable Document Format
.docDOCument
.docx  DOCument
.pptPowerPoint presentation
.pptxPowerPoint presentation
.xlsMicrosoft Excel spreadsheet file
.xlsxMicrosoft Excel spreadsheet file
.txtTeXT
.textTeXT
Table 2 File Type Description

Figure 17 Steals Specific Files

The below code demonstrates that the malware is capable of reading WhatsApp text data and recording incoming and outgoing WhatsApp calls. Refer to Figure 18.

Figure 18 Reads and Records WhatsApp Data

The below code demonstrates that the malware is capable of recording audio from the device. Refer to Figure 19.

Figure 19 Records Audio

The below code demonstrates that the malware is capable of disabling WiFi connections. Refer to Figure 20.

Figure 20 Disabled Wi-Fi

The below code demonstrates the URL’s connectivity to post the data to the server. Refer to Figure 21.

Figure 21 URL Connection

Conclusion

APT-C-23 TA groups use Android spyware to specifically target users in the Middle East.

These TAs are constantly adapting their methods to avoid detection and find new ways to target users through sophisticated techniques. One of the most common methods used to infect devices is by disguising the malware as a supposedly legitimate Google application to confuse users into installing them.

Users should only install applications after verifying their authenticity and install them exclusively from the official Google Play Store to avoid such attacks.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

  • Download and install software only from official app stores like the Google Play Store.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Users should be careful while enabling any permissions on their devices.
  • If you find any suspicious applications on your device, uninstall, or delete them immediately. 
  • Use the shared IOCs to monitor and block the malware infection. 
  • Keep your anti-virus software updated to detect and remove malicious software. 
  • Keep your Android device, OS, and applications updated to the latest versions. 
  • Use strong passwords and enable two-factor authentication. 

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1444
T1476
Masquerade as Legitimate Application
Deliver Malicious App via Other Means
ExecutionT1575Native Code
PersistenceT1402 Broadcast Receivers
Defense EvasionT1508Supress Application Icon
CollectionT1412
T1432
T1433
T1517
T1429
T1512
T1533
T1513
Capture SMS Messages
Access Contacts List
Access Call Log
Access Notifications
Capture Audio
Capture Camera
Data from Local System
Screen Capture
ImpactT1447Delete Device Data

Indicators of Compromise (IOCs)  

IndicatorsIndicator typeDescription
c8d51db4b2171f289de67e412193d78ade58ec7a7de7aa90680c34349faeeee2SHA256Malicious APK
hxxps://linda-gaytan[.]websiteURLCommunicating URL
hxxps://cecilia-gilbert[.]comURLC2 Domain
hxxps://david-gardiner[.]websiteURLCommunicating URL
hxxps://javan-demsky[.]websiteURLC2 Domain  

About Us

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com

%d bloggers like this: