# APT-C-23 Using New Variant Of Android Spyware To Target Users In The Middle East **[blog.cyble.com/2021/09/15/apt-c-23-using-new-variant-of-android-spyware-to-target-users-in-the-middle-east/](https://blog.cyble.com/2021/09/15/apt-c-23-using-new-variant-of-android-spyware-to-target-users-in-the-middle-east/)** September 15, 2021 [During our routine threat hunting exercise, Cyble Research Labs came across a Twitter post mentioning a](https://twitter.com/malwrhunterteam/status/1437498154501480451) new variant of Android malware used by APT-C-23. This Advanced Persistent Threat (APT) group was first identified in 2017, where they targeted more than 100 devices from Palestine. This variant calls itself Google_Play_Installer7080009821206716096 to trick users into thinking it’s an APK related to Google Play. Cyble Research Labs downloaded the sample and identified that APT-C-23, also known as “the two-tailed scorpion,” targets the Middle East with this version of Android malware. This malware can steal sensitive information like Contact data, SMS data, and files from the infected device. The delivery mechanisms used by the Threat Actors (TAs) are through phishing or via a fake Android app store; this application has an icon that is similar to the Telegram app. Once the malware is successfully executed on the affected Android device, it can perform several malicious activities without the user’s knowledge. These activities include taking pictures, recording audio, disabling WiFi, stealing call logs, stealing SMSs, stealing Contact data, and steal files of a wide range of extensions (PDF, doc, docx, ppt, pptx, xls, xlsx, txt, text, jpg, jpeg, png), etc. The malware can also make calls without the user’s knowledge, delete files from the device, record the victim device’s screen, take screenshots, read the text content, and record incoming and outgoing calls in WhatsApp. Additionally, the malware checks for telecom operating out of the Middle East and specifically targets them. In 2020, APT-C-23 was also responsible for the attack on Israeli Defense Forces (IDF). ## Technical Analysis ### APK Metadata Information App Name: Google Play Installer Package Name: org.telegram.light SHA256 Hash: c8d51db4b2171f289de67e412193d78ade58ec7a7de7aa90680c34349faeeee2 Figure 1 shows the metadata information of the application. ----- Figure 1 Metadata Information We have outlined the flow of the application and the various activities conducted by it. Refer to Figure 2. The application has a similar icon as Telegram official app. The application asks for Contacts, call logs, and SMS permissions. The application asks users to grant admin rights. The application asks the users to allow access to notifications. The application asks permission to install 3 party applications.rd The application shows the Telegram app UI. Figure 2 Application Start Flow Upon simulating the application, we observed that it requests users for permissions to access Contacts, Call logs, and SMS data. Refer to Figure 3. ----- Figure 3 Requests Sensitive Permissions Figure 4 shows the malware asking users for device admin activation. Once the malware gains admin rights, then it can enhance its features. Figure 4 Requests for Admin Activation Figure 5 shows that the malware asks the users to enable notification access for the application. Once the application gains notification access, it can read all notifications on the device, including SMS data. ----- Figure 5 Asks for Notification Access Upon receiving notification access, the application prompts users asking for permission to install 3 partyrd applications. Once it gains this permission, the application will be able to install other applications or update itself. Refer to Figure 6. Figure 6 Asks for 3rd Party App Installation Permission Figure 7 shows that after getting the required permissions, the malware opens a UI that is similar to the official Telegram app. ----- Figure 7 Similar UI as Telegram App ## Manifest Description **Voicemail requests thirty-five different permissions, of which the attackers can abuse eighteen. In this case,** the malware can: Read, delete or modify SMSs, call logs, and Contact data. Make calls without user interaction Delete SMS data Kill background processes of other apps Receive and send SMSs Reads current cellular network information, phone number and the serial number of the affected phone, the status of any ongoing calls, and a list of any phone accounts (for example: firmware accounts such as Samsung account) registered on the device. Read, delete or modify the files on the device’s external storage Disable the keylock and any associated password security measures such as biometric verification. We have listed the dangerous permissions below. **Permissions** **Description** READ_SMS Access phone messages. READ_CONTACTS Access phone contacts. KILL_BACKGROUND_PROCESSES Allows applications to kill the background processes of other apps. CALL_PHONE Allows an application to initiate a phone call without going through the Dialer user interface to confirm the call. RECEIVE_SMS Allows an application to receive SMS messages. SEND_SMS Allows an application to send SMS messages. ----- READ_CALL_LOG Access phone call logs. READ_PHONE_STATE Allows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device. REORDER_TASKS Allows the app to push tasks to the foreground and background. WRITE_CONTACTS Allows the app to modify the device’s contacts data. WRITE_EXTERNAL_STORAGE Allows the app to write or delete files to the external storage of the device. READ_EXTERNAL_STORAGE Allows the app to read the contents of the device’s external storage. RECORD_AUDIO Allows the app to record audio with the microphone, which can be misused by the attackers. PROCESS_OUTGOING_CALLS Allows the app to process outgoing calls and modify the dialling number. WRITE_CALL_LOG Allows the app to modify the device’s call log. DISABLE_KEYGUARD Allows the app to disable the keylock and any associated password security. READ_PROFILE Allows the app to read personal profile information such as name and contact information stored on the device. SYSTEM_ALERT_WINDOW Allows the app to draw on top of other applications. Table 1 Permissions’ Description The below image shows that the malware has defined services that can be used to read notification data on the device. Refer to Figure 8. Figure 8 Service to Read Notifications The below image shows that the malware has defined services that can be used for Accessibility services. Refer to Figure 9. Figure 9 Service Defined for Accessibility The below image shows that the malware has a defined receiver that can be used to gain system-level device administration access. Refer to Figure 10. Figure 10 Receiver Defined to Gain Admin Rights ----- ## Source Code Description The below images show that the malware checks for various telecom companies operating in the Middle East. Refer to Figure 11. Figure 11 Checks for Sim Operator Company The code given in Figure 12 shows that the malware is capable of reading Contact data. Figure 12 Reads Contacts Data The code shown in Figure 13 demonstrates that the malware is capable of reading SMS data. ----- Figure 13 Reads SMS Data The code shown in Figure 14 demonstrates that the malware is capable of reading CallLogs data from the device. Figure 14 Reads Call Logs The code shown in Figure 15 demonstrates that the malware is capable of calling any number without the user’s knowledge or interaction. ----- Figure 15 Can Make Calls The below code shows that the malware is capable of capturing pictures without user interaction. Refer to Figure 16. Figure 16 Capture Pictures The code shown in Figure 17 demonstrates that the malware can steal specific files from the device based on the various extensions shown in the below table. **File Type** **Description** .pdf Portable Document Format .doc DOCument ----- .docx DOCument .ppt PowerPoint presentation .pptx PowerPoint presentation .xls Microsoft Excel spreadsheet file .xlsx Microsoft Excel spreadsheet file .txt TeXT .text TeXT Table 2 File Type Description Figure 17 Steals Specific Files The below code demonstrates that the malware is capable of reading WhatsApp text data and recording incoming and outgoing WhatsApp calls. Refer to Figure 18. Figure 18 Reads and Records WhatsApp Data The below code demonstrates that the malware is capable of recording audio from the device. Refer to Figure 19. ----- Figure 19 Records Audio The below code demonstrates that the malware is capable of disabling WiFi connections. Refer to Figure 20. Figure 20 Disabled Wi Fi The below code demonstrates the URL’s connectivity to post the data to the server. Refer to Figure 21. Figure 21 URL Connection ----- ## Conclusion APT-C-23 TA groups use Android spyware to specifically target users in the Middle East. These TAs are constantly adapting their methods to avoid detection and find new ways to target users through sophisticated techniques. One of the most common methods used to infect devices is by disguising the malware as a supposedly legitimate Google application to confuse users into installing them. Users should only install applications after verifying their authenticity and install them exclusively from the official Google Play Store to avoid such attacks. ## Our Recommendations We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below: Download and install software only from official app stores like the Google Play Store. Ensure that Google Play Protect is enabled on Android devices. Users should be careful while enabling any permissions on their devices. If you find any suspicious applications on your device, uninstall, or delete them immediately. Use the shared IOCs to monitor and block the malware infection. Keep your anti-virus software updated to detect and remove malicious software. Keep your Android device, OS, and applications updated to the latest versions. Use strong passwords and enable two-factor authentication. ## MITRE ATT&CK® Techniques **Tactic** **Technique ID** **Technique Name** **Initial Access** [T1444](https://attack.mitre.org/versions/v7/techniques/T1444/) [T1476](https://attack.mitre.org/versions/v7/techniques/T1476/) Masquerade as Legitimate Application Deliver Malicious App via Other Means **Execution** [T1575](https://attack.mitre.org/versions/v7/techniques/T1575/) Native Code **Persistence** [T1402](https://attack.mitre.org/versions/v7/techniques/T1402/) Broadcast Receivers **Defense Evasion** [T1508](https://attack.mitre.org/versions/v7/techniques/T1508/) Supress Application Icon **Collection** [T1412](https://attack.mitre.org/techniques/T1412) [T1432](https://attack.mitre.org/techniques/T1432/) [T1433](https://attack.mitre.org/versions/v7/techniques/T1433/) [T1517](https://attack.mitre.org/versions/v7/techniques/T1517/) [T1429](https://attack.mitre.org/versions/v7/techniques/T1429/) [T1512](https://attack.mitre.org/versions/v7/techniques/T1512/) [T1533](https://attack.mitre.org/versions/v7/techniques/T1533/) [T1513](https://attack.mitre.org/versions/v7/techniques/T1513/) Capture SMS Messages Access Contacts List Access Call Log Access Notifications Capture Audio Capture Camera Data from Local System Screen Capture **Impact** [T1447](https://attack.mitre.org/versions/v7/techniques/T1447/) Delete Device Data ## Indicators of Compromise (IOCs) **Indicators** **Indicator** **type** **Description** ----- **c8d51db4b2171f289de67e412193d78ade58ec7a7de7aa90680c34349faeeee2** SHA256 Malicious APK **hxxps://linda-gaytan[.]website** URL Communicating URL **hxxps://cecilia-gilbert[.]com** URL C2 Domain **hxxps://david-gardiner[.]website** URL Communicating URL **hxxps://javan-demsky[.]website** URL C2 Domain ## About Us [Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from](https://cyble.com/) cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn [more about Cyble, visit www.cyble.com.](https://cyble.com/) -----