{
	"id": "44d1d90b-06af-452c-aa51-24403f30cc84",
	"created_at": "2026-04-06T00:09:56.000306Z",
	"updated_at": "2026-04-10T03:30:33.035843Z",
	"deleted_at": null,
	"sha1_hash": "ccb964a7fb791d229effd3d7eb28a107e1a0cf5f",
	"title": "Android APT spyware, targeting Middle East victims, enhances evasiveness",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1334959,
	"plain_text": "Android APT spyware, targeting Middle East victims, enhances\r\nevasiveness\r\nBy Written by Pankaj Kohli\r\nPublished: 2021-11-23 · Archived: 2026-04-05 22:58:18 UTC\r\nNewly-discovered variants of an Android spyware that previously was attributed to an advanced persistent threat\r\nactor group called C-23 (also known as GnatSpy, FrozenCell, or VAMP) have incorporated new features into their\r\nmalicious apps that make them more resilient to actions by users, who might try to remove them manually, and to\r\nsecurity and web hosting companies that attempt to block access to, or shut down, their command-and-control\r\nserver domains.\r\nThe C-23 threat actor has, in the past, targeted individuals based in the Middle East, particularly in the Palestinian\r\nTerritories. The group has been active since at least 2017.\r\nhttps://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/\r\nPage 1 of 13\n\nThe spyware app initially disguises itself as something called “App Updates”\r\nThe new variants appear in the form of an app that purports to install updates on the target’s phone, with names\r\nthat include App Updates, System Apps Updates, or Android Update Intelligence. Sophos suspects that the\r\napps are delivered to specific users by means of SMS text messages linking to downloads. To the best of our\r\nknowledge, none of the apps have been hosted on Google Play Store, though Sophos did reach out to the Android\r\nsecurity team and sent details about the apps to the company.\r\nOnce installed, the spyware sends unique, identifiable device parameters to its command-and-control server. One\r\nof the newer features of this variant is that it will, initially, use a hardcoded C2 address to communicate, but also\r\ncontains code that allows the operators of the spyware to push down a new address. This ability can keep the\r\nmalware functional if one or more of the C2 server domains is taken down. The new variants did not conceal or\r\nobfuscate the C2 server address in any way.\r\nhttps://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/\r\nPage 2 of 13\n\nCode that can modify the C2 domain on a running installation is a notable new feature\r\nMany of the new variants were found to have been digitally signed by a certificate (with serial number\r\nece521e38c5e9cbea53503eaef1a6ddd204583fa) that Sophos has associated with malware for years.\r\nChanging disguises after installation\r\nThe first time the user opens the app, it requests that the user grant the app specific permissions to do the kinds of\r\nthings you’d expect spyware to do: It requests permissions to record ambient audio, and to access all files stored\r\non the device.\r\nBut the apps also use a bit of social engineering to ask the\r\nuser to grant advanced permissions: notification access, device administrator, and the ability to observe the user’s\r\nactions while interacting with apps.\r\nThe app’s requests appear to justify the need for the additional features, but they’re lies. For instance, the request\r\nto “Enable Notifications” claims that the app needs this functionality or else “you won’t receive notifications in\r\nreal time.”\r\nhttps://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/\r\nPage 3 of 13\n\nBut that isn’t what Notification Access permissions do.\r\nWhen prompted to enable this feature, the app pushes the user to a system permissions window that accurately\r\ndescribes what the permission does. The threat actors may assume that the target won’t carefully read, or\r\nunderstand, the consequences of clicking Allow on this screen.\r\nhttps://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/\r\nPage 4 of 13\n\nThis permission\r\ngrants the spyware the ability to read the full-text messages and the names of contacts, from any app, such as\r\nFacebook or WhatsApp, as well as dismissing notifications from other apps (such as a mobile anti-malware app’s\r\nwarnings) or toggling the Do Not Disturb settings on the phone. The device administrator permission gives the\r\noperator of the app the ability to lock the phone, but according to our analysis, the spyware’s current version has\r\nno capability to do this.\r\nThe app prompts the user to Enable the device admin permission or “system won’t secure your internet\r\nconnection.”\r\nhttps://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/\r\nPage 5 of 13\n\nIn reality, the feature the spyware wants the user to enable\r\nwould let the spyware lock the phone.\r\nThe final prompt asks the\r\nuser to change a setting with a vague warning about something being blocked as a result of battery optimization.\r\nhttps://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/\r\nPage 6 of 13\n\nLike the other prompts,\r\nthis is also bogus. This prompt redirects the user to enable a feature that permits the spyware to identify what apps\r\nyou use, when you’re using them. The spyware sends that information onward to its C2 server.\r\nhttps://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/\r\nPage 7 of 13\n\nOnce the target has granted all these permissions, the app disguises itself to evade any attempts at manual removal\r\nby the user. The method to attain stealth appears to be new to this version: the spyware changes its icon (and\r\nname) to disguise itself using an icon of one of the four apps: Google Play, Youtube, Google, or Botim (a VOIP\r\ncalling app).\r\nOnce this happens, the next time the spyware app is opened, the spyware opens the real app whose disguise it\r\nwears, i.e., it opens Chrome if it disguises itself as Chrome, thereby giving an illusion to the user that the app is\r\nlegit.\r\nhttps://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/\r\nPage 8 of 13\n\nThe spyware app icon appears as “App Updates” before the change…\r\nhttps://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/\r\nPage 9 of 13\n\n…and afterward takes on the icon of the Chrome browser, and launches that app when the user\r\nclicks the icon.\r\nThe apps contain a text string, in the Arabic language, that they send to the command and control server when the\r\nicon has been changed. These strings are present in these new versions of the malware.\r\nمت تغيري األيقونة\r\nWe also found that it tried to install its own version of Botim from the application’s assets – a functionality we\r\nbelieve was meant for future versions, as the samples did not contain (or try to download) any Botim APK file.\r\nEach functionality of the spyware has a command associated with it. The commands are received via Firebase\r\nmessaging, and the spyware performs the corresponding function as and when instructed.\r\nhttps://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/\r\nPage 10 of 13\n\nThe live C2 servers posed as websites for Laravel – a web application framework.\r\nhttps://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/\r\nPage 11 of 13\n\nC2 website posed as website for Laravel (a web application framework)\r\nYet many of the functionalities of the spyware remain unchanged. The app does the following things:\r\nCollects SMS, contacts, call logs\r\nCollects images and documents\r\nRecording audio, incoming and outgoing calls, including WhatsApp calls\r\nTaking screenshots and recording video of the screen\r\nTaking pictures using the camera\r\nHiding its own icon\r\nReading notifications from WhatsApp, Facebook, Facebook Messenger, Telegram, Skype, IMO\r\nMessenger, or Signal\r\nCanceling notifications from built-in security apps (such as Samsung SecurityLogAgent, Xiaomi MIUI\r\nSecurityCenter, Huawei SystemManager), as well as from Android system apps, package Installer, and its\r\nown notifications\r\nInternal logging shows the app writing out the contents of the contact list, call logs, and SMS\r\nmessages to a Zip archive it later uploads to its C2\r\nDon’t be a spyware victim\r\nhttps://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/\r\nPage 12 of 13\n\nTo avoid falling prey to such malicious apps, users should only install apps from trusted sources such as Google\r\nPlay. Updating Android OS and applications should be done via Android Settings and Google Play respectively,\r\ninstead of relying on a third-party app.\r\nUsers should be particularly wary of apps asking for sensitive permissions such as device admin, notification\r\naccess, or those requiring superuser/root access. Users can view the apps currently having device admin and\r\nnotification access permissions by browsing to Settings and searching for “Device admin apps” and “Notification\r\naccess” respectively.\r\nDetections and acknowledgments\r\nWe also advise users to consider installing an antivirus app on their mobile device such as Sophos Intercept X for\r\nMobile that defends their device and data from such threats.  SophosLabs has published indicators of compromise\r\non its Github page. These samples are detected by Sophos Intercept X for Mobile as Andr/Spy-BFI.\r\nSophosLabs would like to acknowledge that @malwrhunterteam initially alerted us to some of the samples in this\r\npost. Andrew Brandt conducted additional research for this article.\r\nSource: https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-vi\r\nctims-improves-its-capabilities/\r\nhttps://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/\r\nPage 13 of 13\n\nhttps://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/       \n      Like the other prompts,\nthis is also bogus. This prompt redirects the user to enable a feature that permits the spyware to identify what apps\nyou use, when you’re using them. The spyware sends that information onward to its C2 server. \n   Page 7 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"
	],
	"report_names": [
		"android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434196,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ccb964a7fb791d229effd3d7eb28a107e1a0cf5f.pdf",
		"text": "https://archive.orkl.eu/ccb964a7fb791d229effd3d7eb28a107e1a0cf5f.txt",
		"img": "https://archive.orkl.eu/ccb964a7fb791d229effd3d7eb28a107e1a0cf5f.jpg"
	}
}