Iranian-Linked Android Spyware Sneaks Into Private ChatsResearchers: Malware Tied to Hacking Group That US Treasury Had Sanctioned
The hacking group behind an Android spyware variant has added fresh capabilities, including the ability to snoop on private chats on Skype, Instagram and WhatsApp, according to a report from the security firm ReversingLabs.
The group suspected of developing the malware, which is known as APT39 - and also called Chafer, Remexi, Cadelspy and ITG07 - is believed to have ties to the Iranian government and was the focus of sanctions issued by the U.S. Treasury Department in September (see: US Imposes Sanctions on Iranian APT Group).
In issuing the sanctions, the Department of the Treasury's Office of Foreign Assets Control noted that APT39, along with an associated company called Rana Intelligence Computing Co., are controlled by Iran's Ministry of Intelligence and Security.
At the time sanctions were issued, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency released the source code for eight sets of malware Rana used to conduct various computer intrusion activities.
When examining one of those malware variants, called "com.android.providers.optimizer," the ReversingLabs researchers discovered fresh variants of the Android malware with expanded functionality to improve its espionage capabilities, according to the report.
"Because of all these capabilities, gaining control over someone’s smartphone provides the malicious actor with a powerful espionage tool," Karlo Zanki, a reverse engineer at ReversingLabs, notes in the report.
The earlier version of this Android malware that the FBI uncovered relied on exploiting remote external services on internet-facing assets to gain initial access to the device, which then allowed the hackers to steal data or keep track of the user, according to the report.
The newer version, the ReversingLabs analysis found, takes advantage of a targeted device's Android Accessibility Services, which are designed to assist users with disabilities, according to the report. These services generally run in the background but can access apps and other components within an Android device. By accessing these services, hackers can gain control over a device without the victim knowing (see: Mobile Malware Bypasses Banks' 2-Factor Authentication: Report).
Once a targeted device's accessibility services are compromised, the malware can give the hackers access to a variety of applications, including Skype, Instagram and WhatsApp, according to the report.
"Looking at the monitored IM applications additionally proves that this malware is probably used for the surveillance of Iranian citizens," Zanki notes. "One of the monitored IM applications is a package named 'org.ir.talaeii,' which is described as 'an unofficial Telegram client developed in Iran."
The malware can also hack commands sent by SMS, according to the report.
"In that case, the malware intercepts the received SMS, and if it starts with a predefined command header, the malware aborts further propagation of the SMS_RECEIVED Intent. This prevents the received SMS from ending up in the default SMS application," Zanki notes.
The malware also can take photos with a compromised device's camera and configure audio recordings, according to the report. The hackers can also use the malware to add a custom Wi-Fi access point and to force the device to connect to it.
"This feature was probably introduced to avoid possible detection due to unusual data traffic usage on the target's mobile account," Zanki says.
The ReversingLabs report notes the Android spyware was targeting specific individuals. The Treasury Department said APT39 and Rana are suspected of monitoring Iranian citizens, particularly dissidents, journalists, former government employees, environmentalists, refugees, university students and faculty, and employees at international nongovernmental organizations.
Rana has previously targeted at least 15 U.S. companies and hundreds of individuals and entities from more than 30 countries across Asia, Africa, Europe and North America, the FBI says.