Wednesday, April 30, 2025
HomeAndroidAPT‑C‑23 Hacker Group Attacks Android Users That Records Calls & Take Pictures...

APT‑C‑23 Hacker Group Attacks Android Users That Records Calls & Take Pictures Silently

Published on

SIEM as a Service

Follow Us on Google News

Security researchers discovered new spyware used by the APT-C-23 threat group to target Android users through fake Android app store.

The APT-C-23, a threat group is also known as a Two-tailed Scorpion and they target mainly the Middle East. The Android spyware used by the group was first spotted in 2017, now the recent version was found to have extended spying functionality.

Earlier this year Checkpoint warned of APT-C-23 hacking group attacks targeting mobile devices, in Apri & June @malwrhunterteam tweeted about the new Android malware sample, that found to be connected.

- Advertisement - Google News

Android Malware Via Fake App Store

ESET researchers observed a fake Android app store “DigitalApps” used by the threat actor group to distribute the malware.

The fake app store has both malicious and clean items, the non-malicious application redirects the users to another unofficial Android app store and malicious apps have malware hidden in along with its functionality.

The attackers mainly target users via the messaging apps to trick the users in requesting for number permissions that include “taking pictures and videos, recording audio, reading and modifying contacts, and reading and sending SMS.”

The following are some of the apps used by attackers to hide malware that includes AndroidUpdate, Threema, and Telegram.

Once the malware activity is initialized, in most cases, victims are requested to install a legitimate app that contains sources fo malware. The malware get’s installed in the phone silently along with the legitimate app and the spyware silently runs in the background.

When the malware is launched for the first time it records the victim to the C&C server and sends the device information to the server.

The following are the capabilities of the malware

  • Take pictures
  • Record audio
  • Restart Wi-Fi
  • Exfiltrate call logs
  • Exfiltrate all SMS messages
  • Exfiltrate all contacts
  • Download files to the device
  • Delete files from the device
  • Steal files with particular extensions (pdf, doc, Docx, ppt, pptx, xls, xlsx, txt, text, jpg, jpeg, png)
  • Uninstall any app installed on the device
  • Steal APK installers of apps installed on the device
  • Hide its icon
  • Get credit balance of SIM on the device (it can get a balance by making a call to three different cellular operators: Jawwal, Wataniya, Etisalat)
  • Record screen and take screenshots
  • Record incoming and outgoing calls in WhatsApp
  • Make a call while creating a black screen overlay activity (to hide call activity)
  • Read the text of notifications from selected messaging and social media apps: WhatsApp, Facebook, Telegram, Instagram, Skype, Messenger, Viber, imo
  • Dismiss notifications from built-in security apps on some Android devices:
  • Dismiss its notifications (an unusual feature, possibly used in case of errors or warnings displayed by the malware)

For C&C communication attackers mainly use under maintenance websites and the communication with the C&C server is encrypted.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read

Joker Malware Targets Android Users to steal SMS Messages and Contact Lists – 17 Apps Removed from Google Play

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Trellix Launches Phishing Simulator to Help Organizations Detect and Prevent Attacks

Trellix, a leader in cybersecurity solutions, has unveiled its latest innovation, the Trellix Phishing...

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...

Researchers Reveal Threat Actor TTP Patterns and DNS Abuse in Investment Scams

Cybersecurity researchers have uncovered the intricate tactics, techniques, and procedures (TTPs) employed by threat...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Trellix Launches Phishing Simulator to Help Organizations Detect and Prevent Attacks

Trellix, a leader in cybersecurity solutions, has unveiled its latest innovation, the Trellix Phishing...

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...