During our routine threat hunting exercise, Cyble Research Labs came across a Twitter post mentioning a new variant of Android malware used by APT-C-23.
This Advanced Persistent Threat (APT) group was first identified in 2017, where they targeted more than 100 devices from Palestine.
This variant calls itself Google_Play_Installer7080009821206716096 to trick users into thinking it’s an APK related to Google Play.
Cyble Research Labs downloaded the sample and identified that APT-C-23, also known as “the two-tailed scorpion,” targets the Middle East with this version of Android malware. This malware can steal sensitive information like Contact data, SMS data, and files from the infected device.
The delivery mechanisms used by the Threat Actors (TAs) are through phishing or via a fake Android app store; this application has an icon that is similar to the Telegram app.
Once the malware is successfully executed on the affected Android device, it can perform several malicious activities without the user’s knowledge. These activities include taking pictures, recording audio, disabling WiFi, stealing call logs, stealing SMSs, stealing Contact data, and steal files of a wide range of extensions (PDF, doc, docx, ppt, pptx, xls, xlsx, txt, text, jpg, jpeg, png), etc.
The malware can also make calls without the user’s knowledge, delete files from the device, record the victim device’s screen, take screenshots, read the text content, and record incoming and outgoing calls in WhatsApp. Additionally, the malware checks for telecom operating out of the Middle East and specifically targets them.
In 2020, APT-C-23 was also responsible for the attack on Israeli Defense Forces (IDF).
APK Metadata Information
- App Name: Google Play Installer
- Package Name: org.telegram.light
- SHA256 Hash: c8d51db4b2171f289de67e412193d78ade58ec7a7de7aa90680c34349faeeee2
Figure 1 shows the metadata information of the application.
We have outlined the flow of the application and the various activities conducted by it. Refer to Figure 2.
- The application has a similar icon as Telegram official app.
- The application asks for Contacts, call logs, and SMS permissions.
- The application asks users to grant admin rights.
- The application asks the users to allow access to notifications.
- The application asks permission to install 3rd party applications.
- The application shows the Telegram app UI.
Upon simulating the application, we observed that it requests users for permissions to access Contacts, Call logs, and SMS data. Refer to Figure 3.
Figure 4 shows the malware asking users for device admin activation. Once the malware gains admin rights, then it can enhance its features.
Figure 5 shows that the malware asks the users to enable notification access for the application. Once the application gains notification access, it can read all notifications on the device, including SMS data.
Upon receiving notification access, the application prompts users asking for permission to install 3rd party applications. Once it gains this permission, the application will be able to install other applications or update itself. Refer to Figure 6.
Figure 7 shows that after getting the required permissions, the malware opens a UI that is similar to the official Telegram app.
Voicemail requests thirty-five different permissions, of which the attackers can abuse eighteen. In this case, the malware can:
- Read, delete or modify SMSs, call logs, and Contact data.
- Make calls without user interaction
- Delete SMS data
- Kill background processes of other apps
- Receive and send SMSs
- Reads current cellular network information, phone number and the serial number of the affected phone, the status of any ongoing calls, and a list of any phone accounts (for example: firmware accounts such as Samsung account) registered on the device.
- Read, delete or modify the files on the device’s external storage
- Disable the keylock and any associated password security measures such as biometric verification.
We have listed the dangerous permissions below.
|READ_SMS||Access phone messages.|
|READ_CONTACTS||Access phone contacts.|
|KILL_BACKGROUND_PROCESSES||Allows applications to kill the background processes of other apps.|
|CALL_PHONE||Allows an application to initiate a phone call without going through the Dialer user interface to confirm the call.|
|RECEIVE_SMS||Allows an application to receive SMS messages.|
|SEND_SMS||Allows an application to send SMS messages.|
|READ_CALL_LOG||Access phone call logs.|
|READ_PHONE_STATE||Allows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.|
|REORDER_TASKS||Allows the app to push tasks to the foreground and background.|
|WRITE_CONTACTS||Allows the app to modify the device’s contacts data.|
|WRITE_EXTERNAL_STORAGE||Allows the app to write or delete files to the external storage of the device.|
|READ_EXTERNAL_STORAGE||Allows the app to read the contents of the device’s external storage.|
|RECORD_AUDIO||Allows the app to record audio with the microphone, which can be misused by the attackers.|
|PROCESS_OUTGOING_CALLS||Allows the app to process outgoing calls and modify the dialling number.|
|WRITE_CALL_LOG||Allows the app to modify the device’s call log.|
|DISABLE_KEYGUARD||Allows the app to disable the keylock and any associated password security.|
|READ_PROFILE||Allows the app to read personal profile information such as name and contact information stored on the device.|
|SYSTEM_ALERT_WINDOW||Allows the app to draw on top of other applications.|
The below image shows that the malware has defined services that can be used to read notification data on the device. Refer to Figure 8.
The below image shows that the malware has defined services that can be used for Accessibility services. Refer to Figure 9.
The below image shows that the malware has a defined receiver that can be used to gain system-level device administration access. Refer to Figure 10.
Source Code Description
The below images show that the malware checks for various telecom companies operating in the Middle East. Refer to Figure 11.
The code given in Figure 12 shows that the malware is capable of reading Contact data.
The code shown in Figure 13 demonstrates that the malware is capable of reading SMS data.
The code shown in Figure 14 demonstrates that the malware is capable of reading CallLogs data from the device.
The code shown in Figure 15 demonstrates that the malware is capable of calling any number without the user’s knowledge or interaction.
The below code shows that the malware is capable of capturing pictures without user interaction. Refer to Figure 16.
The code shown in Figure 17 demonstrates that the malware can steal specific files from the device based on the various extensions shown in the below table.
|Portable Document Format|
|.xls||Microsoft Excel spreadsheet file|
|.xlsx||Microsoft Excel spreadsheet file|
The below code demonstrates that the malware is capable of reading WhatsApp text data and recording incoming and outgoing WhatsApp calls. Refer to Figure 18.
The below code demonstrates that the malware is capable of recording audio from the device. Refer to Figure 19.
The below code demonstrates that the malware is capable of disabling WiFi connections. Refer to Figure 20.
The below code demonstrates the URL’s connectivity to post the data to the server. Refer to Figure 21.
APT-C-23 TA groups use Android spyware to specifically target users in the Middle East.
These TAs are constantly adapting their methods to avoid detection and find new ways to target users through sophisticated techniques. One of the most common methods used to infect devices is by disguising the malware as a supposedly legitimate Google application to confuse users into installing them.
Users should only install applications after verifying their authenticity and install them exclusively from the official Google Play Store to avoid such attacks.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Download and install software only from official app stores like the Google Play Store.
- Ensure that Google Play Protect is enabled on Android devices.
- Users should be careful while enabling any permissions on their devices.
- If you find any suspicious applications on your device, uninstall, or delete them immediately.
- Use the shared IOCs to monitor and block the malware infection.
- Keep your anti-virus software updated to detect and remove malicious software.
- Keep your Android device, OS, and applications updated to the latest versions.
- Use strong passwords and enable two-factor authentication.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Initial Access||T1444 |
|Masquerade as Legitimate Application|
Deliver Malicious App via Other Means
|Defense Evasion||T1508||Supress Application Icon|
|Capture SMS Messages|
Access Contacts List
Access Call Log
Data from Local System
|Impact||T1447||Delete Device Data|
Indicators of Compromise (IOCs)
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.