APT C-23 also known as AridViper and Desert Falcon is active in the region targeting different sectors with their malicious documents. The group’s discovery came around March 2017 and their main target emerged as the Middle East. The group has previously faked an android app to deploy Android/SpyC23 mainly for spying, including reading notifications from messaging apps, call recording and screen recording, and with new stealth features, such as dismissing notifications from built-in Android security apps.
A new sample also seems to be used by APT-C-23. Once it gets executed, a document relating to What does profit from the internet means? is shown to confuse the victim and meanwhile RAT is executed to perform remote control
This is relevant to the ongoing spying campaign already active in the middle east via Android Mobile apps which confers resistance to takedowns and manual removal as well. The spyware are in the form of apps that includes App Updates, System Apps Updates, or Android Update Intelligence, which are being sent to the users in the form of text messages and after installations in asks for specific permissions which includes access media apps and other files app in your phone.