Android/Spy23C.A

Android/Spy23C.A is an Android Trojan threat that is designed to infiltrate and collect various sensitive date from mobile Android devices. According to the researchers that analyzed it, this particular threat is not wholly unique. Instead, it represents a modified version with vastly expanded functionality of previously detected Android threat that has been observed to be part of the repertoire of an Advanced Persistent Threat (APT) group called APT-C-23 (aka Two-Tailed Scorpion or Desert Scorpion). APT-C-23's previous threatening campaigns were directed towards users in the Middle East and Android/Spy23C.A has been employed in much the same manner.

Android/Spy23C.A is far More Potent than Previous Versions

To carry out its data-gathering activities, Android/Spy23C.A first needs to convince the targeted user into granting it several rather invasive permissions. This may be the reason that the creators of the Trojan have decided to use messaging applications as a plausible disguise. The deceitful social-engineering tricks begin even before the actual installation, as Android/Spy23C.A will ask to be allowed to record audio and video, take pictures, read and send SMS, as well as read and modify contacts on the device. After installation, the threat will take advantage of the unsuspecting user to further expand its control over the device by acquiring additional permissions but this time hiding its true intentions behind misleading pretenses for various features. For example, the Trojan tells the user that it can carry out Private Video Chats but in reality, it will be able to record the screen of the device. In another instance, the user will be prompted to allow Message Encryption which will result in Android/Spy23C.A acquiring the ability to read the user's notifications.

To hide its presence and harmful activity, the Trojan requests from its victims to install the legitimate messaging application manually after being executed . The outcome is that the user has access to the real application with all of its functions while Android/Spy23C.A collects data in the background without attracting much attention silently. In some cases, however, when the Trojan is masquerading as the WeMessage, AndroidUpdate, and others, the applications downloaded by the victims serve only as a distraction without having any real functionality.

Android/Spy23C.A possesses all the capabilities of the previous versions used by APT-C-23. It can exfiltrate call logs, SMS, contacts, manipulate files on the device, uninstall any application, collect files with specific extensions, record audio and take pictures. The already impressive array of abilities has now been expanded to include several new powerful functions. Android/Spy23C.A can make calls while displaying a black screen on the device to hide its activity. To further hide its presence, the threat is able to dismiss various notifications from security applications depending on the specific manufacturer of the mobile device, as well as dismissing its OWN notifications, a rather unique feature that according to the cybersecurity experts might be used to hide specific error messages that could emerge during the Trojan's operations.

Android/Spy23C.A is Distributed through a Fake Application Store

As mentioned earlier, the main strategy of Android/Spy23C.A is to pose as legitimate messaging applications. To deliver them to the targeted users, the hacker group created a fake Android application store and hid the threatening applications among several legitimate ones. The particular applications carrying the threat were AndroidUpdate, Threema and Telegram. To limit the chances of any accidental downloads by unintended targets, the criminals put a verification measure - users are required to input a six-digit coupon code in order to initiate the download of the threatening applications.

The fake application store is not the only distribution method employed by APT-C-23 evidenced by the fact that their Trojan tool has been observed to pose as the WeMessage application, which is not among the applications available on the fake store. In a rather strange decision, it appears that the hackers have created their own custom graphics and UI as the imposter application shares no similarities with the legitimate WeMessage application besides the name.