Google Play Boots Three Malicious Apps from Marketplace Tied to Apts
April 22, 2018
Seid Yassin (557 articles)

Google Play Boots Three Malicious Apps from Marketplace Tied to Apts

Two advanced persistent threat groups managed to sneak apps onto the Google Play marketplace earlier this year. Both were designed to conduct surveillance on targets located in the Middle East region, according to Lookout security researchers.

One of the groups, identified as APT-C-23 (also known as Two-Tailed Scorpion), used social engineering and apps hosted on Google Play in order to compromise Android smartphones. The second group, only identified as a mobile APT (mAPT), was distributing ViperRAT malware via chat apps (VokaChat and Chattak), also hosted on Google Play.

Desert Scorpion

Lookout said on April 3 it notified Google of a malicious app tied to APT-C-23 and a new malware family Desert Scorpion.

APT-C-23 has been active over the past year, tracked most recently by Trend Micro researchers in December 2017. That’s when researchers said APT-C-23 distributed GnatSpy mobile malware, believed to be a sophisticated variant of the Vamp and FrozenCell malware.

Lookout said this most recent campaign targeted over 100 targets located in Palestine.

“The app ties together two malware families — Desert Scorpion and another targeted surveillanceware family named FrozenCell — that we believe are being developed by a single, evolving surveillanceware actor called APT-C-23 targeting individuals in the Middle East,” Lookout researchers wrote in a report released Monday.

While the malware-infected app was hosted on Google Play, threat actors used social engineering in order to compromise the Android smartphones. Researchers said hackers posing as a young woman on social media enticed targets into downloading the chat application.

“We have been able to tie the malware to a long-running Facebook profile that we observed promoting the first stage of this family, a malicious chat application called Dardesh via links to Google Play,” researchers wrote.

Source | threatpost