Android Spyware Stealing Your Communications
The actions of this malware were first recorded by Qihoo 360 in 2017. Termed as APT-C-23 (Two-tailed Scorpion or Desert Scorpion), it was responsible for many hacks in the Middle East and is able to spy on targets through their devices. It can exfiltrate call logs, contacts, location, messages, photos, and other sensitive data. While it was reported to spread under the disguise of legitimate tools, a 2018 report by Symantec says the newer variant of it spread as a media player and tricked targets to install it. Later, as reported by Check Point group, the operators have targeted Israeli soldiers through Facebook, Telegram and Instagram as young teenage girls to lure them in installing the spyware. And now, as freshly documented by ESET researchers, the latest version of this APT-C-23 spyware has a lot more spying features than the earlier versions. They say it’s now capable of stealing the communications from social media apps like Viber, Facebook’s Messenger, WhatsApp and Skype. It all begins with the target being lured to a fake appstore called “DigitalApps“, where they’d be directed to install the legitimately looking apps like Telegram, Threema and weMessage. Copying them is to convince the targets easily while asking for extensive permissions. Later, they would be communicating with hacker’s C2 to register the device. After this, it would disable Google’s Play Protect and even block notifications from inbuilt security apps to avoid being detected. Also, it can restart Wi-Fi and uninstall any app. It then starts recording audio, intercepts messages, takes screenshots and even checks on messages from various messengers via notification panel.