Earlier this year researchers first disclosed a targeted attack campaign targeting various sectors in the Middle East. This threat actor was called Two-tailed Scorpion/APT-C-23. Later on, a mobile component called VAMP was found, with a new variant (dubbed FrozenCell) discovered in October. (We detect these malicious apps as ANDROIDOS_STEALERC32).
VAMP targeted various types of data from the phones of victims: images, text messages, contacts, and call history, among others. Dozens of command-and-control (C&C) domains and samples were found, which were soon disabled or detected.
Recently, Trend Micro researchers came across a new mobile malware family which we have called GnatSpy. We believe that this is a new variant of VAMP, indicating that the threat actors behind APT-C-23 are still active and continuously improving their product. Some C&C domains from VAMP were reused in newer GnatSpy variants, indicating that these attacks are connected. We detect this new family as ANDROIDOS_GNATSPY.
We do not know for sure how these files were distributed to users. It is possible that threat actors sent them directly for users to download and install on their devices. They had names like “Android Setting” or “Facebook Update” to make users believe they were legitimate. We have not detected significant numbers of these apps in the wild, indicating their use is probably limited to specific targeted groups or individuals.
New capabilities of GnatSpy
The capabilities of GnatSpy are similar to early versions of VAMP. However, there have been some changes in its behavior that highlight the increasing sophistication of this particular threat actor.
App structure organization – expanded and improved
The structure of the new GnatSpy variants is very different from previous variants. More receivers and services have been added, making this malware more capable and modular. We believe this indicates that GnatSpy was designed by someone with more knowledge in good software design practices compared to previous authors.
Figures 1 and 2. Old and new receivers and services
The new code also makes much more use of Java annotations and reflection methods. We believe that this was done to evade attempts to detect these apps as malicious.
Figures 3 and 4. Java annotations and reflection methods
Earlier versions of VAMP contained the C&C server used in simple plain text, making detection by static analysis tools an almost trivial affair.
Figure 5. C&C server in plaintext
GnatSpy has changed this. The server is still hardcoded in the malicious app’s code, but is now encoded to evade easy detection:
Figures 6 and 7. Obfuscated C&C server
A function call is in the code to obtain the actual C&C URL:
Figures 8 and 9. Function call to obtain C&C server URL
The URL hardcoded in the malware is not the final C&C server, however. Accessing the above URL merely sends back the location of the actual C&C server:
Figures 10 and 11. Request and response pair for C&C server
The WHOIS information of the C&C domains used now uses domain privacy to conceal the registrant’s contact information.
Figure 12. WHOIS information
It’s also worth noting that some of these C&C domains are newly registered, highlighting that these attackers are still active even though their activities have been reported:
Figure 13. Newly registered C&C domain
The domain names used are also curiously named. They used names of persons, but while some names appear to be those of real persons (or plausibly real names), others appear to have been directly taken from various television shows. The rationale for using these names remains unclear.
The version of Apache used has also been updated, from 2.4.7 to 2.4.18. All domains now forbid directory indexing; in at least one earlier C&C domain this was left enabled.
Figure 14. Directory indexing disabled
We note here that two of the C&C domains we encountered – specifically, cecilia-gilbert[.]com and lagertha-lothbrok[.]info – were also reported to be connected to VAMP and FrozenCell, respectively. This indicates that the threat actors behind GnatSpy are likely to be connected to these previous attacks, as well.
Increased compatibility and stolen information
Earlier samples called the System Manager on Huawei devices to grant permissions to itself:
Figure 15. Code calling app on Huawei devices
A similar line was added for Xiaomi devices:
Figure 16. Code calling app on Xiaomi devices
GnatSpy also includes several function calls targeting newer Android versions (Marshmallow and Nougat):
Figures 17 and 18. Code for Marshmallow and Nougat Android versions
More information about the device is stolen as well, including information about the battery, memory and storage usage, and SIM card status. Curiously, while previous samples collected information about the user’s location via OpenCellID, this is no longer done by GnatSpy.
Threat actors can be remarkably persistent even if their activities have been exposed and documented by researchers. This appears to be the case here. The threat actors behind GnatSpy are not only continuing their illicit activities, but they are also improving the technical capabilities of their malware.
Trend Micro™ Mobile Security for Android™ (also available on Google Play) detects these malicious apps. End users and enterprises can also benefit from its multilayered security capabilities that secure the device’s data and privacy, and safeguard them from ransomware, fraudulent websites, and identity theft.
For organizations, Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.
Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.
Indicators of Compromise
Apps/files with the following hashes are connected to GnatSpy:
|5de5b948aeca6e0811f9625dec48601133913c24e419ce99f75596cb04503141||com.fakebook||App System Installer|
The following domains were used by various C&C servers: