New GnatSpy Mobile Malware Family Discovered [source: trendmicro]

Earlier this year researchers first disclosed a targeted attack campaign targeting various sectors in the Middle East. This threat actor was called Two-tailed Scorpion/APT-C-23. Later on, a mobile component called VAMP was found, with a new variant (dubbed FrozenCell) discovered in October. (We detect these malicious apps as ANDROIDOS_STEALERC32).

VAMP targeted various types of data from the phones of victims: images, text messages, contacts, and call history, among others. Dozens of command-and-control (C&C) domains and samples were found, which were soon disabled or detected.

Recently, Trend Micro researchers came across a new mobile malware family which we have called GnatSpy. We believe that this is a new variant of VAMP, indicating that the threat actors behind APT-C-23 are still active and continuously improving their product. Some C&C domains from VAMP were reused in newer GnatSpy variants, indicating that these attacks are connected. We detect this new family as ANDROIDOS_GNATSPY.

We do not know for sure how these files were distributed to users. It is possible that threat actors sent them directly for users to download and install on their devices. They had names like “Android Setting” or “Facebook Update” to make users believe they were legitimate. We have not detected significant numbers of these apps in the wild, indicating their use is probably limited to specific targeted groups or individuals.

For more, click here.