A team of researchers today unveiled previously undisclosed capabilities of an Android spyware implant—developed by a sanctioned Iranian threat actor—that could let attackers spy on private chats from popular instant messaging apps, force Wi-Fi connections, and auto-answer calls from specific numbers for purposes of eavesdropping on conversations.
In September, the US Department of the Treasury imposed sanctions on APT39 (aka Chafer, ITG07, or Remix Kitten) — an Iranian threat actor backed by the country's Ministry of Intelligence and Security (MOIS) — for carrying out malware campaigns targeting Iranian dissidents, journalists, and international companies in the telecom and travel sectors.
Coinciding with the sanctions, the Federal Bureau of Investigation (FBI) released a public threat analysis report describing several tools used by Rana Intelligence Computing Company, which operated as a front for the malicious cyber activities conducted by the APT39 group.
Formally linking the operations of APT39 to Rana, the FBI detailed eight separate and distinct sets of previously undisclosed malware used by the group to conduct their computer intrusion and reconnaissance activities, including an Android spyware app called "optimizer.apk" with information-stealing and remote access capabilities.
"The APK implant had information stealing and remote access functionality which gained root access on an Android device without the user's knowledge," the agency stated.
"The main capabilities include retrieving HTTP GET requests from the C2 server, obtaining device data, compressing and AES-encrypting the collected data, and sending it via HTTP POST requests to the malicious C2 server."
ReversingLabs, in a newly published report today, dug deeper into this implant ("com.android.providers.optimizer") using a previous unobfuscated version of the malware described in the FBI Flash report.
According to researcher Karlo Zanki, not only did the implant have permissions to record audio and take photos for government surveillance purposes, but it also contained a feature to add a custom Wi-Fi access point and force a compromised device to connect to it.
"This feature was probably introduced to avoid possible detection due to unusual data traffic usage on the target's mobile account," Zanki said in an analysis.
Also of note was the ability to automatically answer calls from specific phone numbers, thereby allowing the threat actor to tap on conversations on-demand.
Besides featuring support for receiving commands sent via SMS messages, the latest variant of "optimizer" malware referenced by the FBI abused accessibility services to access contents of instant messaging applications such as WhatsApp, Instagram, Telegram, Viber, Skype, and an unofficial Iran-based Telegram client called Talaeii.
It's worth noting that Telegram had previously issued "unsafe" warnings to users of Talaeii and Hotgram in December 2018 following disclosure from the Center for Human Rights in Iran (CHRI) citing security concerns.
"When targeting individuals, threat actors often want to monitor their communication and movement," Zanki concluded. "Mobile phones are most suitable for such goals because of the computing power contained in your pocket, and the fact that most people carry them all the time."
"Since the Android platform maintains the biggest part of the global smartphone market share, it follows that it is also the primary target of mobile malware."