Security researchers have spotted a new mobile malware family in the wild called GnatSpy that is likely linked to the notorious threat group APT-C-23, also known as "Two-tailed Scorpion". Trend Micro researchers believe the new, updated malware is a more dangerous variant of the threat group's VAMP malware.
VAMP targeted sensitive phone data including contacts, call history, images, text messages among other details. Researchers believe the new variant of this malware, GnatSpy, indicates that the hacking group is still active and continues to improve their product.
"Some C&C domains from VAMP were reused in newer GnatSpy variants, indicating that these attacks are connected," Trend Micro said in a blog post. "The capabilities of GnatSpy are similar to early versions of VAMP. However, there have been some changes in its behaviour that highlight the increasing sophistication of this particular threat actor."
According to Trend Micro, the structure of the new GnatSpy variants is quite different from earlier malware variants.
"More receivers and services have been added, making this malware more capable and modular. We believe this indicates that GnatSpy was designed by someone with more knowledge in good software design practices compared to previous authors," researchers said. "The new code also makes much more use of Java annotations and reflection methods. We believe that this was done to evade attempts to detect these apps as malicious."
While earlier versions of VAMP listed the command and control (C&C) server used in the simple plain text in its code, GnatSpy has the server encoded to avoid easy detection with a function call to obtain the actual C&C URL.
"The URL hardcoded in the malware is not the final C&C server, however," researchers noted. "Accessing the above URL merely sends back the location of the actual C&C server."
The version of Apache used has also been upgraded from 2.4.7 to 2.4.18 as well.
While earlier versions of VAMP targeted the System Manager on Huawei and Xiaomi devices, GnatSpy features several function calls that target newer Android versions such as Marshmallow and Nougat.
GnatSpy is also able to pull much more information from an infected device including the SIM card status as well as battery, memory and storage usage.
It is still unclear how the hacker group is distributing the malicious files to unsuspecting victims, researchers said. They suspect the group is currently sending them directly to users as updates to download and install on their devices.
"They had names like 'Android Setting' or 'Facebook Update' to make users believe they were legitimate," researchers noted. "We have not detected significant numbers of these apps in the wild, indicating their use is probably limited to specific targeted groups or individuals.
"Threat actors can be remarkably persistent even if their activities have been exposed and documented by researchers. This appears to be the case here. The threat actors behind GnatSpy are not only continuing their illicit activities, but they are also improving the technical capabilities of their malware."