Android Spyware Posing As Threema and Telegram Apps

18 Nov 2020

Android Spyware Posing As Threema and Telegram Apps

Last month ESET researchers unveiled an evolved variant of Android spyware pushed out by the APT-C-23 group.

This threat group also goes under the name “Two-Tailed Scorpion”. Its first activities were recognized in 2017, and it is mostly known for targeted attacks on the Middle East. APT-C-23 has improved its spyware significantly in 2020, as now it can record calls and your screen while reading and blocking notifications from apps present on your device.

This malware is distributed via a fake Android app store called DigitalApps. This store offered both harmless and malicious applications, some of which would redirect visitors to other unofficial stores. 

The APT group decided to plant spyware in packages with legitimate and trusted secure messengers such as Telegram and Threema.

Coupon Codes for Downloading Malware?

DigitalApps had many quirky procedures, and mixing normal and malicious apps was not the only example of that.

For example, users had to enter a six-digit coupon code to download an application. As suggested by ESET, this can be done to limit the number of users and unfilter those who are not specifically targeted.

This interesting approach helped keep the market stay in the shadows, as no big vendor had detected the sample that was in the wild since May. ESET systems first encountered this spyware in June through MalwareHunterTeam, with some of the samples being disguised as a WeMessage app.

WeMessage may not be as popular as Telegram or Threema, but it’s still a legitimate message app on Google Play. Curiously, the malicious variant of the app looks nothing like an original, sporting a different design and graphics, perhaps created single-handedly by the criminals. Malicious version of WeMessage wasn’t distributed through DigitalApps, and it is unclear how many people had downloaded it.

Sometimes malicious actors only need to steal the name of some trusted app to fool the users and deliver them an invasive application.

Malware Behaviour Upon Installation

One might wonder, why did the masterminds choose various instant messengers as cover-ups for their spyware?

The answer is very simple – messengers request many permissions, and so the suspicions are not as high. There were some precedents when malicious apps were fronting as weather or news apps, and in those cases requesting access to the phonebook and messages was indeed suspicious.

Not the case with modern instant messaging.

When users download spyware as an .apk file, they need to manually install it on their devices, unlike in Google Play. The real app used to fool users is stored in the malware’s resources, and it could be any instant messenger application, not only Threema or Telegram.

When a user installs the app manually, he’s first bombarded with a series of permission requests. All are happening before the actual messenger app is even installed, asking to grant permissions for a picture, video, audio recording, modifying contacts, reading, and sending SMS.

And it’s not a full list of spyware capabilities.

Read All the Permission Requests

Permission requests also use confidence tricks to fool users into granting even more permissions.

For example, requests to read notifications for “messages encryption” or requests to record the screen to deliver a “private” video chat. The spyware also can restart Wi-Fi, exfiltrate all contacts, SMS messages, and call logs. It can get credit balance of SIM, dismiss notifications from security apps and even itself, to not raise any suspicions if the spyware has an error.

When starting a call, spyware creates a black screen overlay, so you wouldn’t even know that anything is happening. Malware keeps its presence low while the real app is being installed, and now the unfortunate ones have a functioning app they intended to download and spyware that runs in the background.

Malware quietly communicates with a well-hidden Command and Control server of the attacker. C&C servers of APT-C-23 often pose as websites “under maintenance,” yet another illusion.

It’s in your best interest to never download anything from unofficial sources. It is also a good idea to be extra cautious when granting permissions. Question every single request! Right now, downloading secure messengers only from official app markets like Google Play and App Store is your safest bet. 

Keep away from unauthorized sources and stay safe!

subscribe to our blog