Google Play Boots Three Malicious Apps From Marketplace Tied to APTs

Two advanced persistent threat groups managed to sneak apps onto the Google Play marketplace earlier this year. Both were designed to conduct surveillance on targets located in the Middle East region, according to Lookout security researchers.

One of the groups, identified as APT-C-23 (also known as Two-Tailed Scorpion), used social engineering and apps hosted on Google Play in order to compromise Android smartphones. The second group, only identified as a mobile APT (mAPT), was distributing ViperRAT malware via chat apps (VokaChat and Chattak), also hosted on Google Play.

Desert Scorpion

Lookout said on April 3 it notified Google of a malicious app tied to APT-C-23 and a new malware family Desert Scorpion.

APT-C-23 has been active over the past year, tracked most recently by Trend Micro researchers in December 2017. That’s when researchers said APT-C-23 distributed GnatSpy mobile malware, believed to be a sophisticated variant of the Vamp and FrozenCell malware.

Lookout said this most recent campaign targeted over 100 targets located in Palestine.

“The app ties together two malware families — Desert Scorpion and another targeted surveillanceware family named FrozenCell — that we believe are being developed by a single, evolving surveillanceware actor called APT-C-23 targeting individuals in the Middle East,” Lookout researchers wrote in a report released Monday.

While the malware-infected app was hosted on Google Play, threat actors used social engineering in order to compromise the Android smartphones. Researchers said hackers posing as a young woman on social media enticed targets into downloading the chat application.

“We have been able to tie the malware to a long-running Facebook profile that we observed promoting the first stage of this family, a malicious chat application called Dardesh via links to Google Play,” researchers wrote.

The Dardesh chat app, once downloaded, acted as a dropper for the second-stage download of the malicious component of the app. “Desert Scorpion’s second stage masquerades as a generic ‘settings’ application,” researchers said.

Once stage-two is complete the app performs a number of surveillance functions ranging from device tracking, stealth audio recording, file retrieval and exfiltration data to C2 server. In all, the app can perform up to 22 different types of device user surveillance.

“The Lookout Threat Intelligence team is increasingly seeing the same tradecraft, tactics, and procedures that APT-C-23 favors being used by other actors. The approach of separating malicious functionality out into separate stages that are later downloaded during execution and not present in the initial app published to the Google Play Store, combined with social engineering delivered via social media platforms like Facebook, requires minimal investment in comparison to premium tooling like Pegasus or FinFisher,” Lookout wrote.

Unlike Dardesh and Desert Scorpion, which rely on a two-step infection process, researchers say the latest version of ViperRAT malware only relies on one step to carryout its device surveillance.

That’s a departure from nearly a dozen versions of ViperRAT found in February 2017 by Kaspersky Lab and Lookout. Those earlier versions were unique in that they targeted Israeli Defense Force (IDF) personnel. Attackers used female personas on Facebook to con IDF into downloading chat apps from Google Play. The chat apps acted as droppers to download the malicious surveillance-ware playload.

With this latest version of ViperRAT, “the victim is no longer required to enable third-party installations, indicating that the malware has become even more sophisticated than before,” researcher said.

Lookout said both apps, VokaChat and Chattak, are no longer available on Google Play. But, before Google shut down the developer accounts, both apps had combined downloads of 1,000.

“Previously, the actors behind ViperRAT used phishing schemes to trick targets in the Israeli Defense Force into downloading surveillanceware. We believe the same actors are behind this instance of the malware in Google Play and are likely using the legitimacy of the Play Store to make their phishing attacks more successful,” Lookout said.

According to a previous analysis of ViperRAT by Lookout, the malware collects sensitive information off of the devices targeted. Exfiltrated are images and audio content the attackers create by hijacking the device’s camera and recording functions.

“For the majority of 2017 ViperRAT activity has been sporadic, potentially due to the increased media attention around this malware family and the release of indicators of compromise that included associated domains. Despite this tapering off Lookout recently observed its appearance in the Google Play Store which we believe is a milestone for those deploying it,” they said.