APT‑C‑23 group evolves its Android adware

APT‑C‑23 group evolves its Android spyware

ESET researchers uncover a brand new model of Android adware utilized by the APT-C-23 risk group towards targets within the Center East

We’ve got found a beforehand unreported model of Android adware utilized by APT-C-23, a risk group often known as Two-tailed Scorpion and primarily focusing on the Center East. ESET merchandise detect the malware as Android/SpyC23.A.

The APT-C-23 group is thought to have used each Home windows and Android parts in its operations, with the Android parts first described in 2017. In the identical 12 months, a number of analyses of APT-C-23’s cell malware had been revealed.

In comparison with the variations documented in 2017, Android/SpyC23.A has prolonged spying performance, together with studying notifications from messaging apps, name recording and display recording, and new stealth options, comparable to dismissing notifications from built-in Android safety apps. One of many methods the adware is distributed is by way of a faux Android app retailer, utilizing well-known apps as a lure.

Timeline and discovery

The group’s actions had been first described by Qihoo 360 Expertise in March 2017 beneath the title Two-tailed Scorpion. In the identical 12 months, Palo Alto Networks, Lookout and Pattern Micro described different variations of the cell malware, naming them VAMP, FrozenCell and GnatSpy, respectively. Lookout revealed an evaluation of one other model of the malware, named Desert Scorpion, in April 2018, and in the beginning of 2020, Examine Level Analysis reported new cell malware assaults attributed to the APT-C-23 group.

In April 2020, @malwrhunterteam tweeted a couple of new Android malware pattern. In response to the VirusTotal service, no safety vendor in addition to ESET detected the pattern on the time. In cooperation with @malwrhunterteam, we acknowledged the malware to be a part of the APT-C-23 arsenal.

Determine 1. VirusTotal detection charge for one of many newly found samples

In June, 2020, @malwrhunterteam tweeted about one other little-detected Android malware pattern, which turned out to be related to the pattern from April. A deeper evaluation confirmed that each the April and June discoveries had been each variants of the identical new Android malware utilized by the APT-C-23 group.

Determine 2 exhibits the timeline of those occasions.

Determine 2. Timeline of beforehand documented APT-C-23 cell malware and ESET’s 2020 investigation


Due to info from @malwrhunterteam, we recognized a faux Android app retailer used to distribute the malware. On the time of study, the “DigitalApps” retailer, pictured in Determine 3, contained each malicious and clear gadgets. The non-malicious gadgets would redirect customers to a different unofficial Android app retailer, serving reliable apps. The malware was hidden in apps posing as AndroidUpdate, Threema and Telegram. The latter two of those lures additionally downloaded the impersonated apps with full performance together with the malware. This mechanism is described intimately within the Performance part.

Determine 3. The faux app retailer serving APT-C-23 adware

Apparently, the downloads had been restricted by needing to enter a six-digit coupon code, as seen in Determine 4. This can be a approach to forestall these not focused by the group from putting in the malware, and therefore hold a decrease profile. Though we didn’t have a coupon code, downloading the app wasn’t such an issue – all that was wanted was to append “/obtain” to the URL.

Determine 4. The faux app retailer requiring a coupon code for downloading malware

This faux app retailer is probably going simply one of many distribution strategies utilized by the risk group. Our telemetry from 2020 confirmed samples impersonating apps that weren’t part of this faux app retailer.

ESET telemetry information

In response to ESET telemetry and VirusTotal information, Android/SpyC23.A has been within the wild since Might 2019.

In June 2020, ESET techniques blocked this adware on shopper units in Israel. The detected malware samples had been disguised because the messaging app “WeMessage”, proven in Determine 5.

Whereas there’s a reliable messaging app referred to as weMessage on Google Play, as seen in Determine 6, the malicious app makes use of fully totally different graphics and doesn’t appear to impersonate the reliable app apart from by appropriating its title. In our analysis, we haven’t discovered one other app utilizing the identical or comparable interface because the malicious WeMessage app, so it’s potential that the attackers created customized graphics.

We don’t know the way this specific model of the adware was distributed – the malicious WeMessage app wasn’t provided within the aforementioned faux app retailer.

Determine 5. Graphics utilized by the malicious WeMessage app

Determine 6. The reliable weMessage app on Google Play


Primarily based on our analysis, the malware primarily impersonates messaging apps. The attackers may need chosen this guise to justify the assorted permissions requested by the malware.

Set up and permissions

Earlier than set up, Android/SpyC23.A requests quite a lot of invasive permissions, together with taking photos and movies, recording audio, studying and modifying contacts, and studying and sending SMS.

After set up, the malware requests a sequence of extra, delicate permissions, utilizing social engineering-like strategies to idiot technically inexperienced customers. These extra permission requests are disguised as safety and privateness options:

  • Underneath the guise of “Messages Encryption”, the app requests permission to learn the consumer’s notifications
  • Underneath the guise of “Non-public Messages”, the app requests permission to show off Play Defend
  • Underneath the guise of “Non-public Video Chat”, the app requests permission to document the consumer’s display

These steps are proven within the video beneath.


After the malware is initialized, normally, victims are requested to manually set up the reliable app used as a lure (e.g. Threema), which is saved within the malware’s sources. Whereas the reliable app is being put in, the malware hides its presence on the affected system. This manner, the victims find yourself with a functioning app they meant to obtain and adware silently operating within the background. In some circumstances (e.g. WeMessage, AndroidUpdate) the downloaded apps didn’t have any actual performance, and solely served as bait for putting in the adware.

When first launched, the malware begins to speak with its Command and Management (C&C) server. It registers the brand new sufferer and sends the sufferer’s system info to the C&C.


Primarily based on the instructions obtained, Android/SpyC23.A can carry out the next actions:

  • Take photos
  • File audio
  • Restart Wi-Fi
  • Exfiltrate name logs
  • Exfiltrate all SMS messages
  • Exfiltrate all contacts
  • Obtain recordsdata to system
  • Delete recordsdata from system
  • Steal recordsdata with specific extensions (pdf, doc, docx, ppt, pptx, xls, xlsx, txt, textual content, jpg, jpeg, png)
  • Uninstall any app put in on the system
  • Steal APK installers of apps put in on system
  • Cover its icon
  • Get credit score stability of SIM on system (it might get a stability by making a name to a few totally different mobile operators: Jawwal, Wataniya, Estisalat)

The next options are new in Android/SpyC23.A in comparison with the beforehand documented variations:

  • File display and take screenshots
  • File incoming and outgoing calls in WhatsApp
  • Make a name whereas making a black display overlay exercise (to cover name exercise)
  • Learn textual content of notifications from chosen messaging and social media apps: WhatsApp, Fb, Telegram, Instagram, Skype, Messenger, Viber, imo
  • Dismiss notifications from built-in safety apps on some Android units:
    • SecurityLogAgent notifications on Samsung units (bundle title comprises “securitylogagent”)
    • Samsung notifications (bundle title comprises “samsung.android”)
    • MIUI Safety notifications on Xiaomi units (bundle title comprises “com.miui.securitycenter”)
    • Telephone Supervisor on Huawei units (bundle title comprises “huawei.systemmanager”)
  • Dismiss its personal notifications (an uncommon function, probably utilized in case of errors or warnings displayed by the malware)

C&C communication

Apart from spying capabilities, the malware’s C&C communication has additionally undergone an replace. In older variations, the C&C in use was hardcoded and both obtainable in plain textual content or trivially obfuscated, and thus simpler to establish. Within the up to date model, the C&C is properly hidden utilizing numerous strategies and will be remotely modified by the attacker.

On this part, we’ll describe how Android/SpyC23.A retrieves its C&C server.

The malware makes use of a local library with three features. Two of them return opening and shutting HTML tags for the title and the third one returns an encrypted string.

Determine 7. Returned strings from the native library

The encrypted string serves two functions: the primary half – earlier than the hyphen (“-”) – is used as a part of the password to encrypt recordsdata extracted from the affected system. The second half is first decoded (base64) after which decrypted (AES). The decrypted string would possibly, for instance, counsel a Fb profile web page for the C&C, however it’s nonetheless obfuscated.

Determine 8. Decrypted however nonetheless obfuscated URL

A number of the substrings on this string are changed primarily based on a easy substitution desk after which the area a part of the obvious URL is changed.

Determine 9. Decrypted and deobfuscated URL

From this URL, the malware parses the HTML for its title tag.

Determine 10. Parsing web site title to retrieve the C&C server

The final step is to switch the primary area for a splash and the second for a dot. With that, acquiring the C&C is completed. Such a course of permits the malware operators to alter their C&C server dynamically.

Determine 11. C&C communication

The malware’s reside C&C servers sometimes pose as web sites beneath upkeep, all utilizing the identical brand, proven in Determine 12.

Determine 12. The malware’s C&C server


Our analysis exhibits that the APT-C-23 group remains to be energetic, enhancing its cell toolset and operating new operations. Android/SpyC32.A – the group’s latest adware model – options a number of enhancements making it extra harmful to victims.

To forestall falling sufferer to adware, we advise Android customers to solely set up apps from the official Google Play Retailer. In circumstances the place privateness considerations, entry points or different restrictions forestall customers from following this recommendation, customers ought to take further care when downloading apps from unofficial sources. We suggest scrutinizing the app’s developer, double-checking the permissions requested, and utilizing a reliable and up-to-date cell safety answer.

For any inquiries, contact us at [email protected]

Indicators of Compromise (IoCs)

ESET detection title





https://linda-gaytan[.]web site
https://david-gardiner[.]web site
https://javan-demsky[.]web site

Distribution URL


MITRE ATT&CK strategies

This desk was constructed utilizing model 7 of the ATT&CK framework.

Preliminary EntryT1444Masquerade as Respectable UtilityAndroid/SpyC23.A impersonates a reliable chat utility.
T1476Ship Malicious App by way of Different MeansSpyC23.A will be downloaded from a malicious different app retailer.
ExecutionT1575Native CodeSpyC23.A makes use of a local methodology to retrieve an encrypted string to acquire its C&C.
PersistenceT1402Broadcast ReceiversSpyC23.A listens for the BOOT_COMPLETED broadcast, making certain that the app’s performance will likely be activated each time the system begins.
Protection EvasionT1508Suppress Utility IconSpyC23.A hides its icon.
DiscoveryT1418Utility DiscoverySpyC23.A retrieves a listing of put in apps.
T1420File and Listing DiscoverySpyC23.A retrieves the content material of the exterior storage listing.
T1426System Data DiscoverySpyC23.A retrieves particulars concerning the system.
AssortmentT1433Entry Name LogSpyC23.A exfiltrates name log historical past.
T1432Entry Contact ListingSpyC23.A exfiltrates the sufferer’s contact record.
T1517Entry NotificationsSpyC23.A exfiltrates messages from messaging and social media apps.
T1429Seize AudioSpyC23.A can document environment and calls.
T1512Seize DigicamSpyC23.A can take photos from the entrance or rear cameras.
T1412Seize SMS MessagesSpyC23.A can exfiltrate despatched and obtained SMS messages.
T1533Information from Native SystemSpyC23.A steals recordsdata with specific extensions from exterior media.
T1513Display SeizeSpyC23.A can take screenshots.
Command and ManagementT1438Different Community MediumsSpyC23.A can use SMS to obtain C&C messages.
T1437Normal Utility Layer ProtocolSpyC23.A communicates with C&C utilizing HTTPS and Firebase Cloud Messaging (FCM).
T1544Distant File CopySpyC23.A can obtain attacker-specified recordsdata.
ExfiltrationT1532Information EncryptedExtracted information is transmitted in password-protected ZIP recordsdata.
AffectT1447Delete Machine InformationSpyC23.A can delete attacker-specified recordsdata from the system.

Supply from www.welivesecurity.com

You may also like

Leave a Reply

Your email address will not be published. Required fields are marked *