A new kind of Android spyware has been distributed by Transparent Tribe, a prolific APT group, under the guise of official COVID-19 applications – according to Kaspersky researchers.
The threat actors have capitalised on the pandemic to extend their operations and infect mobile devices. Recent findings show that the group has been actively working on improving its toolset and expanding its reach to include threats to mobile devices.
During the investigation, Kaspersky was able to find a new Android implant used by the threat actor to spy on mobile devices in attacks, which was distributed as fake national COVID-19 tracking apps.
The connection between the group and the two applications was made thanks to the related domains that the actor used to host malicious files for different campaigns.
Both applications, once downloaded, try to install another Android package file – a modified version of the AhMyth Android Remote Access Tool (RAT) – an open-source malware downloadable from GitHub, which was built by binding a malicious payload inside other legitimate applications.
The modified version of the malware is different in functionality from the standard one. It includes new features added by the attackers to improve data exfiltration, while some core features, such as stealing pictures from the camera, are missing.
The application is able to download new applications to the phone, access SMS messages, the microphone, call logs, track the device’s location and enumerate and upload files to an external server from the phone.
“To stay protected from such threats, users need to be more careful than ever in assessing the sources they download content from and make sure that their devices are secure. This is especially relevant to those who know that they might become a target of an APT attack,” says Giampaolo Dedola, a senior security researcher at Kaspersky’s Global Research and Analysis Team.