A hacking group, active in the Middle East since at least 2017, has been detected impersonating popular messaging applications like Telegram and Threema. This tactic is part of their strategy to deploy a new variant of malware targeting Android devices, a threat that had not been previously documented.
According to cybersecurity firm ESET, this new malware variant, referred to as Android/SpyC23.A, significantly enhances the spying capabilities compared to earlier versions from 2017. Notable features include the ability to read notifications from messaging platforms, record calls and screen activity, as well as advanced stealth operations, such as hiding notifications from native Android security applications.
The malware was originally identified by Qihoo 360 in 2017, dubbed “Two-tailed Scorpion” (also known as APT-C-23 or Desert Falcon). It has since been categorized as “surveillanceware” due to its extensive surveillance capabilities, which include exfiltrating call logs, contacts, location data, messages, photos, and other sensitive files from targeted users.
In 2018, Symantec uncovered a more sophisticated variant of this malware campaign that utilized a malicious media player to extract information and trick victims into installing further malware. More recently, Check Point Research highlighted ongoing APT-C-23 activity, revealing that actors associated with Hamas were using fake profiles of young women on social media to lure Israeli soldiers into downloading malware-infected applications.
The updated spyware outlined by ESET not only retains its previous functionalities but also adds capabilities to gather information from social media and messaging apps through screen recordings and screenshots. Additionally, it can monitor incoming and outgoing calls on platforms such as WhatsApp, as well as read notification texts from various social media applications, including Viber, Facebook, Skype, and Messenger.
The infection chain initiates when a user visits a fraudulent Android app store called “DigitalApps” and downloads applications like Telegram, Threema, and weMessage. The underlying aim of this impersonation is to warrant the extensive permissions that the malware seeks during installation.
The malware employs manipulative requests for permissions that appear benign, such as reading notifications, disabling Google Play Protect, and recording the user’s screen. It communicates with command-and-control (C2) servers—often disguised as maintenance pages—to register infected devices and relay commands that allow audio recording, Wi-Fi management, and app uninstallation, among other operations.
An alarming new capability allows the malware to execute calls covertly while overlaying a black screen to obscure call activity from the user. ESET’s investigation suggests that the APT-C-23 group remains operational, continuously refining its mobile toolkit and launching new campaigns. The advancements in Android/SpyC23.A render it a more potent threat to potential victims.
Recent years have seen fraudulent third-party app stores as common pathways for Android malware deployment. It remains crucial for users to rely solely on authorized sources to mitigate risks associated with malware and to scrutinize the permissions requested by applications prior to installation.
