ESET catches spyware posing as Telegram, Android messaging apps

It's the latest example of mobile malware aiming to sneak onto user devices.
Telegram app, WhatsApp
(Getty Images)

A hacking group that typically spies on targets in the Middle East has updated its malware and is distributing it through bogus versions of popular messaging apps such as Telegram, researchers say.

The malware has been circulating since May 2019, according to Slovakia-based antivirus company ESET, which identified it in collaboration with researchers at MalwareHunterTeam. ESET does not speculate about the intentions of the group, known as APT-C-23 or Two-tailed Scorpion, but in 2017 and 2018, other researchers linked it to the Palestinian organization Hamas.

In most cases, victims are infected by visiting a fake app store, “DigitalApps,” containing both clean and malicious software, ESET said in findings published Wednesday. The malware was hidden in apps posing as Telegram, another messaging platform, Threema, and a utility labeled as AndroidUpdate. Users who downloaded the two messaging apps had the apps’ full functionality, but also were infected with malware, ESET says.

By impersonating an encrypted messaging app like Telegram, the hackers can get access to private communications that otherwise would be tough to intercept. Companies that sell spyware to governments use similar techniques to help their clients conduct surveillance. More broadly, mobile malware can also be an avenue for advertising fraud that can fund a hacking group’s other operations.


The research does not mention specific targets, but ESET says its technology “blocked this spyware on client devices in Israel” in June 2020. That particular sample — disguised as the messaging app WeMessage — does not appear to have come from the fake app store, the researchers say.

Once installed, the malicious software “requests a number of invasive permissions, including taking pictures and videos, recording audio, reading and modifying contacts, and reading and sending SMS,” writes researcher Lukas Stefanko in a blog post. “After installation, the malware requests a series of additional, sensitive permissions, using social engineering-like techniques to fool technically inexperienced users.”

APT-C-23 appears to be mostly interested in espionage. The malware “has extended spying functionality, including reading notifications from messaging apps, call recording and screen recording, and new stealth features, such as dismissing notifications from built-in Android security apps,” Stefanko writes.

Latest Podcasts