Security teams from ESET have discovered a previously unreported version of Android spyware variant used by a hacking group known as Two-tailed Scorpion mainly targeting Meddle Eastern organizations. These threat actors are known due to its use of Windows and Android components for their operations. The malware variant has been tracked as Android/SpyC23.
Two-tailed Scorpion was first detected by Qihoo 360 in 2017. Months after, Palo Alto Networks and several other security firms described other versions of the mobile malware. According to the VirusTotal service, no security vendor besides ESET detected the sample back then. In cooperation with Malware Hunter Team, ESET recognized the malware to be part of the APT-C-23 toolkits.
According to the specialists, the malware is distributed employing a fake Android app store known as “DigitalApps”, which hosted legitimate and malicious developments. This spying software was hidden in apps disguised as AndroidUpdate, Threema and Telegram, so its scope is considerable.
Downloads at DigitalApps were limited by needing to enter a six-digit coupon code, the experts mentioned. This may be a mechanism to prevent a massive scale of users from downloading them, which indicates that threat actors are targeting specific users. Nonetheless, ESET researchers were able to download the spyware by simply adding “/download” to the URL.
Besides, experts believe that malicious hackers can target users by other attack methods.
Once installed, Android/SpyC23 allows threat actors to perform several malicious tasks such as:
- Activate users’ camera
- Recording audio
- WiFi restart
- Call logs, SMS messages and contact lists exfiltration
- File downloading and deleting
- Stealing files with particular extensions (pdf, doc, docx, ppt, pptx, xls, xlsx, txt, text, jpg, jpeg, png)
- Hidding its own icon
Android users should only install apps from the official Play Store to prevent spyware downloading and installation. ESET experts also recommend scrutinizing the app’s developer information, double-checking the permissions requested for each new app, and relying on trusted mobile security tools.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.