A form of Android malware now houses surveillance tools that allow it to spy on users of WhatsApp, Instagram, and Skype. Security researchers say the evolution of previously known malware linked to a group called APT39 makes it more dangerous.
APT39 is an Iranian threat group that usually engages in cyberespionage attacks on behalf of the Iranian government. Law enforcement agencies in the U.S. believe APT39 also operates under a shell company known as RANA Intelligence Computing Co.
In response to the new information, the FBI published a public threat advisory following an investigation into Rana Corp. Security researchers also studied output from the company and found malware samples that show an Android attack has evolved to include surveillance capabilities.
“It’s important to remember that there are many reasons that cause threat groups to turn their focus to specific targets,” said researchers with ReversingLabs in a Monday analysis. “Whether it’s political dissidents, opposition in countries under authoritarian regimes, or corporations the threat actors goal is to make gains monetarily or politically.”
This is a new capability for the malware, which was previously limited to taking data through remote access exploits. Because it now also targets mobile services it can tap into instant messaging services like Skype and WhatsApp.
Specifically, the Android Accessibility Service that can be exploited by the malware.
“Looking at the monitored IM applications additionally proves that this malware is probably used for the surveillance of Iranian citizens,” researchers point out. “One of the monitored IM applications is a package named ‘org.ir.talaeii,’ which is described as ‘an unofficial Telegram client developed in Iran.’”
Surveillance issues are not the only threat the malware poses. It can also receive commands from the server used by SMS, which means it can intercept SMS. Furthermore, the attack can also start audio recordings and take photos on an exploited Android device.
“The malware also enables scheduling a device boot at some specific moment, ensuring malware activation even when someone turns off the phone,” the researchers add.