{ "id": "81e1fff8-7719-43de-8bd7-506fdc035c1a", "created_at": "2026-04-06T00:11:42.851214Z", "updated_at": "2026-04-10T03:32:04.931709Z", "deleted_at": null, "sha1_hash": "18e22a5cf14b7e4e7d9f7ac1bbdd2bd27e5a8a4b", "title": "Android Spyware Variant Snoops on WhatsApp, Telegram Messages", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 170631, "plain_text": "Android Spyware Variant Snoops on WhatsApp, Telegram\r\nMessages\r\nBy Lindsey O'Donnell\r\nPublished: 2020-09-30 · Archived: 2026-04-05 21:57:44 UTC\r\nThe Android malware comes from threat group APT-C-23, also known as Two-Tailed Scorpion and Desert\r\nScorpion.\r\nResearchers say they have uncovered a new Android spyware variant with an updated command-and-control\r\ncommunication strategy and extended surveillance capabilities that snoops on social media apps WhatsApp and\r\nTelegram.\r\nThe malware, Android/SpyC32.A, is currently being used in active campaigns targeting victims in the Middle\r\nEast. It is a new variant of an existing malware operated by threat group APT-C-23 (also known as Two-Tailed\r\nScorpion and Desert Scorpion). APT-C-23 is known to utilize both Windows and Android components, and has\r\npreviously targeted victims in the Middle East with apps in order to compromise Android smartphones.\r\n“Our research shows that the APT-C-23 group is still active, enhancing its mobile toolset and running new\r\noperations,” according to researchers with ESET in a report released Wednesday. “Android/SpyC32.A – the\r\ngroup’s newest spyware version – features several improvements making it more dangerous to victims.”\r\nAPT-C-23’s activities – including its mobile malware – were first described in 2017 by several security research\r\nteams. Meanwhile, the updated version, Android/SpyC23.A, has been in the wild since May 2019 and was first\r\ndetected by researchers in June 2020.\r\nThe detected malware samples were disguised as a legitimate messaging app offered through Google Play. The\r\napp, called WeMessage, is malicious, researchers said, and uses entirely different graphics and doesn’t seem to\r\nimpersonate the legitimate app other than by name. Researchers said, this malicious app does not have any real\r\nfunctionality, and only served as bait for installing the spyware.\r\nResearchers also said they don’t know how this fake WeMessage app was distributed. Previous versions of the\r\nmalware were distributed in apps via a fake Android app store, called the “DigitalApps” store. The fake app store\r\ndistributed both legitimate apps as well as fake apps posing as AndroidUpdate, Threema and Telegram. However,\r\nresearchers said that the fake WeMessage app was not on the “DigitalApps” store.\r\nNew Updates\r\nhttps://threatpost.com/new-android-spyware-whatsapp-telegram/159694/\r\nPage 1 of 3\n\nPreviously documented versions of this spyware have various capabilities, including the ability to take pictures,\r\nrecord audio, exfiltrate call logs, SMS messages and contacts and more. They would do so by requesting a number\r\nof invasive permissions, using social engineering-like techniques to fool technically inexperienced users.\r\nLegitimate WeMessage app. Credit: ESET\r\nThis latest version has extended surveillance capabilities, specifically targeting information collected from social\r\nmedia and messaging apps. The spyware can now record victims’ screens and take screenshots, record incoming\r\nand outgoing calls in WhatsApp and read text of notifications from social media apps, including WhatsApp,\r\nFacebook, Skype and Messenger.\r\nThe malware also leverages a tactic where it creates a blank screen overlay to put on the Android screen while it\r\nmakes calls, which helps it hide its call activity. In another technique to hide its activity the malware can dismiss\r\nits own notifications. Researchers say this is an unusual feature, possibly used in case of errors or warnings\r\ndisplayed by the malware.\r\nFinally, the new version of the malware can dismiss notifications from built-security security apps for Android\r\ndevices (allowing it to hide security warnings of suspicious activity from the victim), including Samsung\r\nnotifications, SecurityLogAgent notifications on Samsung devices, MIUI Security notifications on Xiaomi devices\r\nand Phone Manager on Huawei devices.\r\nThe malware’s C2 communications have also received a facelift. In older versions, the malware used hardcoded\r\nC2, either available in plain text or trivially obfuscated – meaning it was easier to identify. In the updated version,\r\nhowever, the C2 is well hidden using various techniques and can be remotely changed by the attacker, making\r\ndetection much more difficult, researchers said.\r\nOther APT-C-23 Sightings\r\nIt’s not the first analysis of APT-C-23 this year. At the beginning of 2020, Check Point Research reported new\r\nmobile malware attacks attributed to the APT-C-23 group. In April 2020, meanwhile,\r\n@malwrhunterteam tweeted about a new Android malware variant, which researchers – in cooperation with\r\n@malwrhunterteam – recognized to be part of the APT-C-23 operations. Then in June 2020,\r\nhttps://threatpost.com/new-android-spyware-whatsapp-telegram/159694/\r\nPage 2 of 3\n\n@malwrhunterteam tweeted about another Android malware sample, which was connected to the sample from\r\nApril.\r\nAPT-C-23 malware timeline. Credit: ESET\r\nTo avoid falling victim to spyware, researchers advised Android users to only install apps from the official Google\r\nPlay app store and to scrutinize apps’ permissions.\r\n“In cases where privacy concerns, access issues or other restrictions prevent users from following this advice,\r\nusers should take extra care when downloading apps from unofficial sources,” said researchers. “We recommend\r\nscrutinizing the app’s developer, double-checking the permissions requested, and using a trustworthy and up-to-date mobile security solution.”\r\nOn October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security\r\nand how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and\r\nthe Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online\r\nretail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming\r\nthe next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for\r\nthis LIVE webinar. \r\nSource: https://threatpost.com/new-android-spyware-whatsapp-telegram/159694/\r\nhttps://threatpost.com/new-android-spyware-whatsapp-telegram/159694/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://threatpost.com/new-android-spyware-whatsapp-telegram/159694/" ], "report_names": [ "159694" ], "threat_actors": [ { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434302, "ts_updated_at": 1775791924, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/18e22a5cf14b7e4e7d9f7ac1bbdd2bd27e5a8a4b.pdf", "text": "https://archive.orkl.eu/18e22a5cf14b7e4e7d9f7ac1bbdd2bd27e5a8a4b.txt", "img": "https://archive.orkl.eu/18e22a5cf14b7e4e7d9f7ac1bbdd2bd27e5a8a4b.jpg" } }