Android/SpyC23.A – Android Malware Evolved


Friday, October 2nd, 2020 |

First discovered in 2017, the APT-C-23 group is an APT actor group known for its distribution of malware-laced Android applications. Compared to the ones documented in 2017, this new version, named ‘Android/SpyC23.A’ by ESET researchers, has advanced spying functionality, including reading notifications from messaging apps, call and screen recording, new stealth functionalities including dismissing notifications from built-in Android security apps.

The main mode of distribution of this enhanced malware is through a fake Android app store, named ‘DigitalApps,’ that is used to server both malicious and clean applications. The non-malicious items redirect users to another unofficial Android app store that would also both malicious and legitimate applications. The malware-laced applications in questions pose as ‘AndroidUpdate,’ ‘ Threema,’ and ‘Telegram.’ Both AndroidUpdate and Threema download the impersonated applications with full functionality along with the malware. Surprisingly, the downloading of these applications is limited to those users with a specific six-digit ‘coupon code.’ It’s believed that this is done as a way of limiting the spread of the malware to those users that only the threat actors intend to infect. It’s also important to note that the fake app store, DigitalApps, is likely just one of the distribution methods used by APT-C-23, as there exist some VirusTotal samples that impersonated applications that were not part of the fake app store.

Due to the complex nature of messaging applications, as well as the myriad of permissions that those type of applications requests from the user, it is highly likely that the attackers may have chosen this disguise to justify the various permissions requested by the malware. For example, before installation, the malware requests several invasive permissions from the user, including taking pictures, recording videos, recording audio, reading and modifying contacts, and reading and sending SMS. After installation, a new round of permissions are requested, this time disguising these requests as security and privacy features. These include:

  • Under the guise of “Messages Encryption”, the app requests permission to read the user’s notifications
  • Under the guise of “Private Messages”, the app requests permission to turn off Play Protect
  • Under the guise of “Private Video Chat”, the app requests permission to record the user’s screen

After installation and initialization, once the cover app is first launched, the malware begins to communicate with its Command and Control server. It will register the new victims and sends the victim’s device information to the C&C. Based on analysis of the commands received from the C&C, the Android/SpyC23.A is capable of the following actions:

  • Take pictures
  • Record audio
  • Restart Wi-Fi
  • Exfiltrate call logs
  • Exfiltrate all SMS messages
  • Exfiltrate all contacts
  • Download files to device
  • Delete files from device
  • Steal files with specific extensions (pdf, doc, docx, ppt, pptx, xls, xlsx, txt, text, jpg, jpeg, png)
  • Uninstall any app installed on the device
  • Steal APK installers of apps installed on device
  • Hide its icon
  • Get credit balance of SIM on device (it can get a balance by making a call to three different cellular operators: Jawwal, Wataniya, Etisalat)

The following list are the features new to this updated version of the malware.

  • Record screen and take screenshots
  • Record incoming and outgoing calls in WhatsApp
  • Make a call while creating a black screen overlay activity (to hide call activity)
  • Read text of notifications from selected messaging and social media apps: WhatsApp, Facebook, Telegram, Instagram, Skype, Messenger, Viber, imo
  • Dismiss notifications from built-in security apps on some Android devices:
  • SecurityLogAgent notifications on Samsung devices (package name contains “securitylogagent”)
  • Samsung notifications (package name contains “samsung.android”)
  • MIUI Security notifications on Xiaomi devices (package name contains “com.miui.securitycenter”)
  • Phone Manager on Huawei devices (package name contains “huawei.systemmanager”)
  • Dismiss its own notifications (an unusual feature, possibly used in case of errors or warnings displayed by the malware)

To prevent falling victim to the malware, it is highly advised that Android users only install applications from the official Google Play Store.


Sources:


Indicators of Compromise (IOCs):

  • Hashes
    • 9e78e0647e56374cf9f429dc3ce412171d0b999e
    • 344f1a9dc7f8abd88d1c94f4323646829d80c555
    • 56f321518401528278e0e79fac8c12a57d9fa545
    • 9e1399fede12ce876cdb7c6fdc2742c75b1add9a
    • 6f251160c9b08f56681ea9256f8ecf3c3bcc66f8
    • 91c12c134d4943654af5d6c23043e9962cff83c2
    • 78dd3c98a2074a8d7b5d74030a170f5a1b0b57d4
    • 1c89cea8953f5f72339b14716cef2bd11c7ecf9a
    • e79849c9d3dc87ff6820c3f08ab90e6aeb9cc216
  • C&Cs
    • https://linda-gaytan[.]website
    • https://cecilia-gilbert[.]com
    • https://david-gardiner[.]website
    • https://javan-demsky[.]website
  • Distribution URL
    • https://digital-apps[.]store
Share this: