New variant of spyware for Android spies on Telegram users
The malware is a new variant of the already existing malware used by the APT-C-23 group.
The cybercriminal group APT-C-23 (other names are Two-Tailed Scorpion and Desert Scorpion) has armed itself with a new version of spyware for Android devices with an updated C&C strategy and expanded spy functionality to track WhatsApp and Telegram users.
Currently, the Android / SpyC32.A malware (according to ESET's cybersecurity classification) is used in a campaign against users in the Middle East. The malware is a new variant of the already existing malware used by the APT-C-23 group in attacks against users.
“Our research shows that APT-C-23 is still active, improving its mobile attack toolbox and launching new campaigns. The new version of the spyware used by the group, Android / SpyC32.A, has received a number of improvements that make it even more dangerous for users, ”according to a new report from the information security company ESET.
The APT-C-23 group and its malware for mobile devices were first detected in 2017 by several information security companies. An updated version of the malware, Android / SpyC23.A, has been in use since May 2019, but was only discovered in June of this year.
Attackers distribute malware under the guise of a legitimate WeMessage messenger. The app is 100% malicious and doesn't look like the real thing. It has no functionality, and its only purpose is to install spyware on the device.
How the new version of the malware is distributed is still unknown. Previous versions were distributed via apps on a rogue Android store called DigitalApps. Along with legitimate apps, this store also offered users fake software, disguised as AndroidUpdate, Threema, and Telegram. However, the fake WeMessage messenger via DigitalApps is not distributed.