ESET Research uncovers APT-C-23 group's new Android spyware masked as Threema and Telegram

ESET researchers started investigating the malware when a fellow researcher tweeted about an unknown, little-detected Android malware sample in April 2020.

Lukas Stefanko, Malware Researcher at ESET

Lukas Stefanko, Malware Researcher at ESET

DUBAI, UAE: ESET researchers have analyzed a new version of Android spyware used by APT-C-23, a threat group active since at least 2017 that is known for mainly targeting the Middle East. The new spyware, detected by ESET security products as Android/SpyC23.A, builds upon previously reported versions with extended espionage functionality, new stealth features and updated C&C communication. One of the ways the spyware is distributed is via a fake Android app store, impersonating well-known messaging apps, such as Threema and Telegram, as a lure.

ESET researchers started investigating the malware when a fellow researcher tweeted about an unknown, little-detected Android malware sample in April 2020. “A collaborative analysis showed that this malware was part of the APT-C-23 arsenal – a new, enhanced version of their mobile spyware,” explains Lukáš Štefanko, the ESET researcher who analyzed Android/SpyC23.A.

The spyware was found lurking behind seemingly legitimate apps in a fake Android app store. “When we analyzed the fake store, it contained both malicious and clean items. The malware was hiding in apps posing as AndroidUpdate, Threema and Telegram. In some cases, victims would end up with both the malware and the impersonated app installed,” comments Štefanko.

After installation, the malware requests a series of sensitive permissions, disguised as security and privacy features. “The attackers used social engineering-like techniques to trick victims into granting the malware various sensitive rights. For example, permission to read notifications is masked as a message encrypting feature,” details Štefanko.

Once initialized, the malware can carry out a range of espionage activities based on commands from its C&C server. Besides recording audio; exfiltrating call logs, SMS and contacts; and stealing files, the updated Android/SpyC23.A can also read notifications from messaging apps, make screen and call recordings, and dismiss notifications from some built-in Android security apps. The malware’s C&C communication has also undergone an update, making the C&C server more difficult to identify for security researchers.

The APT-C-23 group is known to have used both Windows and Android components in its operations, with the Android components first described in 2017 by Qihoo 360 Technology under the name Two-tailed Scorpion. Since then, multiple analyses of APT-C-23’s mobile malware have been published. Android/SpyC23.A – the group’s latest spyware version – features several improvements making it even more dangerous to victims.

“To stay safe from spyware, we advise Android users to only install apps from the official Google Play Store, double-check the permissions requested, and use a trustworthy and up-to-date mobile security solution,” concludes Štefanko.

For more technical details about this spyware, read the blog post “APT-C-23 group evolves its Android spyware ” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.


About ESET

For more than 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET is the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit  or follow us on LinkedIn, Facebook, and Twitter.

Media Contact
Vistar Communications
Hazem Abed

Send us your press releases to

© Press Release 2020

Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.

The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.

To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.

More From Press Releases