A threat actor who has targeted the Middle East in the past has developed its Android mobile Spyware. The advanced Android mobile spyware is more stealthy and lethal: stealthy as the mobile spyware comes under the wrap of a benign app update to escape detection.

The new variants have got features that make them difficult to hunt. Pankaj Kohli, Sophos threat researcher remarked, “incorporated new features into their malicious apps that make them more resilient to actions by users, who might try to remove them manually, and to security and web hosting companies that attempt to block access to, or shut down their command-and-control server domains,”

Also read,

The spyware has other names: VAMP, FrozenCell, GnatSpy, and Desert Scorpion, and the APT-C-23 threat group has used it since 2017. They have modified the variants for making them more effective and dangerous by adding lethal features. These features are extended surveillance functionality to vacuum files, images, contacts and call logs, read notifications from messaging apps, record calls (including WhatsApp), and dismiss notifications from built-in Android mobile security apps.

Previously, the malware has been planted through fraud app stores appearing as AndroidUpdate, Threeema, and Telegram. The latest attack method follows the earlier pattern. Malware is pushed as app updates, system app updates and Android Update Intelligence to trick the user.

“Spyware is a growing threat in an increasingly connected world,” Kohli said. “The Android mobile spyware linked to APT-C-23 has been around for at least four years, and attackers continue to develop it with new techniques that evade detection and removal.”