A newly discovered Android spyware that victimises Arabic-speakers has been potentially linked to the 2014-15 Sphinx cyber espionage campaign, which was launched by the threat group APT-C-15 to target PC users in the Middle East.
In a 19 December blog post and accompanying technical brief, researchers from Trend Micro's Mobile Threat Response Team revealed their findings after analysing seven apps found on Google Play or third-party app marketplaces that contained spyware dubbed AnubisSpy.
All of the apps are written in Arabic and somehow relate to Egypt – in certain cases, spoofing an Egyptian TV program or showcasing Middle Eastern news. They were signed with fake Google certificates and were installed in a “handful of countries in the Middle East,” Trend Micro further reports, citing Google. “The apps mainly used Middle East-based news and sociopolitical themes as social engineering hooks and abused social media to further proliferate,” the blog post explains.
According to the researchers, AnubisSpy is capable of stealing SMS messages, photos, videos, contacts, email accounts, and Chrome and Samsung Internet Browser histories, and can also take screenshots and record audio. Moreover, it can spy on infected victims via certain apps listed in its updatable configuration file, including Skype, WhatsApp, Facebook and Twitter.
Trend Micro reports that AnubisSpy shares the same file structures, command-and-control server, JSON file decryption technique, and targets as the aforementioned old Sphinx campaign, which typically used watering hole attacks to infect victims with the njRAT trojan. While the attackers behind AnubisSpy could be the original Sphinx operators, it is also possible they are separate actors, the researchers caution.
The researchers believe the apps were developed as far back as April 2015, with the latest variant signed on May 2017. Trend Micro says it contacted Google about the malicious apps on 12 October 2017, prompting the latter company to update Google Play protect accordingly.