Fake Threema, Telegram, and WeMessage Apps Spread Spyware

By Ava McKinneyOnline Safety

Fake Threema, Telegram, and WeMessage Apps Contain Spyware

Cybersecurity experts at ESET are warning that the hacker group APT-C-23 (also known as Desert Scorpion, Desert Falcon, and Arid Viper), notorious for its attacks in the Middle East and on military and educational institutions since at least 2017, is distributing new Android spyware disguised as fake versions of Threema, Telegram, WeMessage, and other apps.

Back in April 2020, security researchers from MalwareHunterTeam reported on Android spyware with a very low detection rate on VirusTotal. After analyzing this sample, ESET researchers concluded that it was part of the APT-C-23 group’s toolkit.

About two months later, in June of the same year, MalwareHunterTeam found another sample of the same malware hidden in an installation file for the Telegram messenger, which was available in the unofficial app store DigitalApps. ESET’s investigation revealed that this was not the only dangerous app present.

Advanced Spyware Features

According to ESET analysts, compared to the Android/SpyC23 versions documented in 2017, the new version has expanded spying capabilities. These include:

  • Reading notifications from messengers and social media apps (such as WhatsApp, Facebook, Telegram, Instagram, Skype, Messenger, Viber, and others)
  • Recording incoming and outgoing calls
  • Recording what’s happening on the device’s screen
  • Disabling notifications from built-in Android security tools

The last feature specifically targets security notifications from SecurityLogAgent on Samsung devices, security notifications from MIUI on Xiaomi devices, and Phone Manager on Huawei devices.

Additionally, experts remind users that Android/SpyC23 has long been able to take photos and record audio on infected devices, steal call logs and contact lists, download and delete files with certain extensions (pdf, doc, docx, ppt, pptx, xls, xlsx, txt, text, jpg, jpeg, png), as well as apps, and has a range of other dangerous functions.

How Devices Get Infected

Devices become infected with this new malware when victims visit the unofficial DigitalApps app store and download apps like Telegram, Threema, WeMessage, AndroidUpdate, and others, which are used as bait. ESET specialists believe that DigitalApps is just one of the malware’s distribution channels, as researchers have previously found other infected apps that were not available in this store but contained similar malicious code.

Stay Safe

To protect your device, always download apps only from official sources like the Google Play Store, and be cautious of unofficial app stores and suspicious app downloads.

Leave a Reply