Android Spyware Variant Snoops on WhatsApp, Telegram Messages

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Researchers say they have uncovered a new Android spyware variant with an updated command-and-control communication strategy and extended surveillance capabilities that snoops on social media apps WhatsApp and Telegram.

The malware, Android/SpyC32.A, is currently being used in active campaigns targeting victims in the Middle East. It is a new variant of an existing malware operated by threat group APT-C-23 (also known as Two-Tailed Scorpion and Desert Scorpion). APT-C-23 is known to utilize both Windows and Android components, and has previously targeted victims in the Middle East with apps in order to compromise Android smartphones.

“Our research shows that the APT-C-23 group is still active, enhancing its mobile toolset and running new operations,” according to researchers with ESET in a report released Wednesday. “Android/SpyC32.A – the group’s newest spyware version – features several improvements making it more dangerous to victims.” [...]

The detected malware samples were disguised as a legitimate messaging app offered through Google Play. The app, called WeMessage, is malicious, researchers said, and uses entirely different graphics and doesn’t seem to impersonate the legitimate app other than by name. Researchers said, this malicious app does not have any real functionality, and only served as bait for installing the spyware.

Researchers also said they don’t know how this fake WeMessage app was distributed. Previous versions of the malware were distributed in apps via a fake Android app store, called the “DigitalApps” store. The fake app store distributed both legitimate apps as well as fake apps posing as AndroidUpdate, Threema and Telegram. However, researchers said that the fake WeMessage app was not on the “DigitalApps” store.
Read more: Android Spyware Variant Snoops on WhatsApp, Telegram Messages

Full report by researchers from ESET: APT‑C‑23 group evolves its Android spyware | WeLiveSecurity
 

[correlate]

Level 18
Top Poster
Well-known
May 4, 2019
801
Starting from a little-known malware sample, security researchers tracked down a new Android spyware distributed through fake messaging apps like Threema, Telegram, and WeMessage.
The malware is from APT-C-23, a group of advanced hackers running espionage campaigns against military and educational institutions since before July 2015.
An updated version discovered earlier this year shows an impressive set of new features that let the spyware dismiss notifications from security solutions running on Samsung, Xiaomi, and Huawei devices, thus being able to operate silently.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
I found it interesting that they can dismiss notifications from built-in security apps on some Android devices:
Dismiss notifications from built-in security apps on some Android devices:
  • SecurityLogAgent notifications on Samsung devices (package name contains “securitylogagent”)
  • Samsung notifications (package name contains “samsung.android”)
  • MIUI Security notifications on Xiaomi devices (package name contains “com.miui.securitycenter”)
  • Phone Manager on Huawei devices (package name contains “huawei.systemmanager”)
So, with this malware Samsung, Xiaomi and Huawei users are screwed if they rely on the built-in security apps.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
So, with this malware Samsung, Xiaomi and Huawei users are screwed if they rely on the built-in security apps.
Built-in security apps or even features are for sure not always the best solution. But many times one simply have to enable a setting or two to make it much better. Also with the introduction of Android 10, permission security was greatly improved.
on some Android devices
On some, is not the same as all Android devices. The research is on this specific matter a bit too poor. That supplied video shows a extrem amount of permission messages and is/should be a huge warning sign.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Built-in security apps or even features are for sure not always the best solution. But many times one simply have to enable a setting or two to make it much better. Also with the introduction of Android 10, permission security was greatly improved.

On some, is not the same as all Android devices. The research is on this specific matter a bit too poor. That supplied video shows a extrem amount of permission messages and is/should be a huge warning sign.
Of course, you are right, they found the dismiss notifications feature of this malware for Samsung, Xiaomi and Huawei devices, not for all android devices.
All those permissions are a clear warning but how many people would allow them anyway when asked by an app they installed themselves?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top