Rewterz Threat Alert – Enhanced Spyware Variant used by APT C-23 to target the Middle East

Severity

High

Analysis Summary

APT C-23, a cyberespionage group (also known as GnatSpy, FrozenCell, VAMP, AridViper, and Desert Falcon) is active in middle east region targeting different sectors with their malicious documents. The group’s discovery came around March 2017 and their main target emerged as the Middle East. 

The group has previously faked an android app to deploy Android/SpyC23 mainly for spying, including reading notifications from messaging apps, call recording and screen recording, and with new stealth features, such as dismissing notifications from built-in Android security apps. 

“The new variants appear in the form of an app that purports to install updates on the target’s phone, with names that include App Updates, System Apps Updates, or Android Update Intelligence. Sophos suspects that the apps are delivered to specific users by means of SMS text messages linking to downloads.”

The ongoing campaign is targeting Middle Eastern Countries with malicious android apps. The malicious apps use social engineering to ask the user to grant advanced permissions. They justify the need for the additional features with fake argumentation, for instance, the request to “Enable Notifications” claims that the app needs this functionality or else “you won’t receive notifications in real time.”

The app asks the user to Enable the device admin permission or “system won’t secure your internet connection.”

Impact

• Information Theft and Espionage
• Data Exfiltration

Indicators of Compromise

Domain Name

• jose-ross[.]com
• donald-grigg[.]site

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.
• Always be suspicious about emails sent by unknown senders.