Cyble-APT-C-23-Spyware-Android-Middle-East-Threat
During our routine threat hunting exercise, Cyble Research Labs came across a Twitter post mentioning a new variant of Android malware used by APT-C-23.
This Advanced Persistent Threat (APT) group was first identified in 2017, where they targeted more than 100 devices from Palestine.
This variant calls itself Google_Play_Installer7080009821206716096 to trick users into thinking it’s an APK related to Google Play.
Cyble Research Labs downloaded the sample and identified that APT-C-23, also known as “the two-tailed scorpion,” targets the Middle East with this version of Android malware. This malware can steal sensitive information like Contact data, SMS data, and files from the infected device.
The delivery mechanisms used by the Threat Actors (TAs) are through phishing or via a fake Android app store; this application has an icon that is similar to the Telegram app.
Once the malware is successfully executed on the affected Android device, it can perform several malicious activities without the user’s knowledge. These activities include taking pictures, recording audio, disabling WiFi, stealing call logs, stealing SMSs, stealing Contact data, and steal files of a wide range of extensions (PDF, doc, docx, ppt, pptx, xls, xlsx, txt, text, jpg, jpeg, png), etc.
The malware can also make calls without the user’s knowledge, delete files from the device, record the victim device’s screen, take screenshots, read the text content, and record incoming and outgoing calls in WhatsApp. Additionally, the malware checks for telecom operating out of the Middle East and specifically targets them.
In 2020, APT-C-23 was also responsible for the attack on Israeli Defense Forces (IDF).
Figure 1 shows the metadata information of the application.
We have outlined the flow of the application and the various activities conducted by it. Refer to Figure 2.
Upon simulating the application, we observed that it requests users for permissions to access Contacts, Call logs, and SMS data. Refer to Figure 3.
Figure 4 shows the malware asking users for device admin activation. Once the malware gains admin rights, then it can enhance its features.
Figure 5 shows that the malware asks the users to enable notification access for the application. Once the application gains notification access, it can read all notifications on the device, including SMS data.
Upon receiving notification access, the application prompts users asking for permission to install 3rd party applications. Once it gains this permission, the application will be able to install other applications or update itself. Refer to Figure 6.
Figure 7 shows that after getting the required permissions, the malware opens a UI that is similar to the official Telegram app.
Voicemail requests thirty-five different permissions, of which the attackers can abuse eighteen. In this case, the malware can:
We have listed the dangerous permissions below.
| Permissions | Description |
| READ_SMS | Access phone messages. |
| READ_CONTACTS | Access phone contacts. |
| KILL_BACKGROUND_PROCESSES | Allows applications to kill the background processes of other apps. |
| CALL_PHONE | Allows an application to initiate a phone call without going through the Dialer user interface to confirm the call. |
| RECEIVE_SMS | Allows an application to receive SMS messages. |
| SEND_SMS | Allows an application to send SMS messages. |
| READ_CALL_LOG | Access phone call logs. |
| READ_PHONE_STATE | Allows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device. |
| REORDER_TASKS | Allows the app to push tasks to the foreground and background. |
| WRITE_CONTACTS | Allows the app to modify the device’s contacts data. |
| WRITE_EXTERNAL_STORAGE | Allows the app to write or delete files to the external storage of the device. |
| READ_EXTERNAL_STORAGE | Allows the app to read the contents of the device’s external storage. |
| RECORD_AUDIO | Allows the app to record audio with the microphone, which can be misused by the attackers. |
| PROCESS_OUTGOING_CALLS | Allows the app to process outgoing calls and modify the dialling number. |
| WRITE_CALL_LOG | Allows the app to modify the device’s call log. |
| DISABLE_KEYGUARD | Allows the app to disable the keylock and any associated password security. |
| READ_PROFILE | Allows the app to read personal profile information such as name and contact information stored on the device. |
| SYSTEM_ALERT_WINDOW | Allows the app to draw on top of other applications. |
The below image shows that the malware has defined services that can be used to read notification data on the device. Refer to Figure 8.
The below image shows that the malware has defined services that can be used for Accessibility services. Refer to Figure 9.
The below image shows that the malware has a defined receiver that can be used to gain system-level device administration access. Refer to Figure 10.
The below images show that the malware checks for various telecom companies operating in the Middle East. Refer to Figure 11.
The code given in Figure 12 shows that the malware is capable of reading Contact data.
The code shown in Figure 13 demonstrates that the malware is capable of reading SMS data.
The code shown in Figure 14 demonstrates that the malware is capable of reading CallLogs data from the device.
The code shown in Figure 15 demonstrates that the malware is capable of calling any number without the user’s knowledge or interaction.
The below code shows that the malware is capable of capturing pictures without user interaction. Refer to Figure 16.
The code shown in Figure 17 demonstrates that the malware can steal specific files from the device based on the various extensions shown in the below table.
| File Type | Description |
| Portable Document Format | |
| .doc | DOCument |
| .docx | DOCument |
| .ppt | PowerPoint presentation |
| .pptx | PowerPoint presentation |
| .xls | Microsoft Excel spreadsheet file |
| .xlsx | Microsoft Excel spreadsheet file |
| .txt | TeXT |
| .text | TeXT |
The below code demonstrates that the malware is capable of reading WhatsApp text data and recording incoming and outgoing WhatsApp calls. Refer to Figure 18.
The below code demonstrates that the malware is capable of recording audio from the device. Refer to Figure 19.
The below code demonstrates that the malware is capable of disabling WiFi connections. Refer to Figure 20.
The below code demonstrates the URL’s connectivity to post the data to the server. Refer to Figure 21.
APT-C-23 TA groups use Android spyware to specifically target users in the Middle East.
These TAs are constantly adapting their methods to avoid detection and find new ways to target users through sophisticated techniques. One of the most common methods used to infect devices is by disguising the malware as a supposedly legitimate Google application to confuse users into installing them.
Users should only install applications after verifying their authenticity and install them exclusively from the official Google Play Store to avoid such attacks.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
| Tactic | Technique ID | Technique Name |
| Initial Access | T1444 T1476 | Masquerade as Legitimate Application Deliver Malicious App via Other Means |
| Execution | T1575 | Native Code |
| Persistence | T1402 | Broadcast Receivers |
| Defense Evasion | T1508 | Supress Application Icon |
| Collection | T1412 T1432 T1433 T1517 T1429 T1512 T1533 T1513 | Capture SMS Messages Access Contacts List Access Call Log Access Notifications Capture Audio Capture Camera Data from Local System Screen Capture |
| Impact | T1447 | Delete Device Data |
| Indicators | Indicator type | Description |
| c8d51db4b2171f289de67e412193d78ade58ec7a7de7aa90680c34349faeeee2 | SHA256 | Malicious APK |
| hxxps://linda-gaytan[.]website | URL | Communicating URL |
| hxxps://cecilia-gilbert[.]com | URL | C2 Domain |
| hxxps://david-gardiner[.]website | URL | Communicating URL |
| hxxps://javan-demsky[.]website | URL | C2 Domain |
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.
Dark web intelligence helps organizations detect stolen credentials, leaked data, and cyber threats early, enabling…
ACSC, NCSC, and CERT Tonga warn of growing INC Ransom activity targeting healthcare and organizations…
Cyble has identified a new Linux threat named ClipXDaemon that targets cryptocurrency users by intercepting…
Middle East faces unprecedented hybrid warfare as Iran, US, and Israel clash through cyberattacks, missile…
ENISA’s Cybersecurity Exercise Methodology helps organizations align with NIS2 and the EU Cybersecurity Act while…
Critical WordPress, BeyondTrust, Honeywell CCTV, and PUSR router vulnerabilities surfaced on underground forums, while CISA…
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.