A malicious party notorious for attacking targets in the Middle East has improved its Android spyware, making it more stealthy and persistent while passing itself off as seemingly benign app updates to remain undetected.
As per a report, Sophos threat researcher said that the latest varieties had added additional functionality to their malicious programs, making them more resistant to user activities, such as deleting them manually. They’ve also learned to withstand attempts by security and web hosting providers to take down or prevent access to their command-and-control server names.
The mobile spyware, aka VAMP, GnatSpy, FrozenCell, and Desert Scorpion, has been a favorite weapon of the APT-C-23 threat organization since at least 2017. The malware has already been disseminated through phony Android software stores posing as AndroidUpdate, Threema, and Telegram. The new campaign is similar in that it uses applications with names like App Upgrades, System Apps Updates, and Android Update Intelligence to install updates on the target’s phone ostensibly. The spyware program is said to be delivered by the attackers delivering a download link to the victim via smishing messages.
When installed, the application begins seeking intrusive permissions to carry out a series of harmful behaviors that are meant to evade manual removal. Not only does the program modify its symbol to blend in with popular apps like Chrome, Google Play, Google, and YouTube, but if the user clicks the false icon, the authentic version of the software launches in the background, conducting surveillance tasks.
According to the researcher, spyware is becoming more prevalent in an increasingly linked society. The Android malware connected to APT-C-23 has been present for at least four years, and attackers are still working on new ways to make it harder to detect and remove.