Hear this story and other latest updates on our Let's Talk Security Podcast Episode here:

Listen on Apple Podcasts
google-podcasts-logo-6

A team of researchers unveiled undisclosed capabilities of an Android spyware, that was developed by a sanctioned Iranian threat actor. This spyware can let attackers spy on private chats from popular instant messaging apps, force Wi-Fi connections, and also auto-answer calls from specific numbers that enable eavesdropping on conversations.


In September, the US Department of the Treasury imposed sanctions on APT39 (aka Chafer, ITG07, or Remix Kitten) — an Iranian threat actor backed by the country's Ministry of Intelligence and Security (MOIS) — for carrying out malware campaigns targeting Iranian dissidents, journalists, and international companies in the telecom and travel sectors.

Coinciding with the sanctions, the Federal Bureau of Investigation (FBI) released a public threat analysis report describing several tools used by Rana Intelligence Computing Company, which operated as a front for the malicious cyber activities conducted by the APT39 group.
Formally linking the operations of APT39 to Rana, the FBI detailed eight separate and distinct sets of previously undisclosed malware used by the group to conduct their computer intrusion, including an Android spyware app called "optimizer.apk" with information-stealing and remote access capabilities.
"The APK implant had information stealing and remote access functionality which gained root access on an Android device without the user's knowledge," the agency stated.

"The main capabilities include retrieving HTTP GET requests from the C2 server, obtaining device data, compressing and AES-encrypting the collected data, and sending it via HTTP POST requests to the maliciours C2 server."
ReversingLabs, in a newly published report today, dug deeper into this implant ("com.android.providers.optimizer") using a previous unobfuscated version of the malware described in the FBI Flash report.

According to researcher Karlo Zanki, not only did the implant have permissions to record audio and take photos for government surveillance purposes, but it also contained a feature to add a custom Wi-Fi access point and force a device to connect to it.


"This feature was probably introduced to avoid possible detection due to unusual data traffic usage on the target's mobile account," Zanki stated in an analysis.
Also of note was the ability to automatically answer calls from specific phone numbers, thereby allowing the threat actor to tap on conversations on-demand.

The latest variant of "optimizer" malware mentioned by the FBI abused accessibility services to access contents of instant messaging applications such as Instagram, Telegram, WhatsApp, Viber, Skype, and an unofficial Iran-based Telegram client called Talaeii.

This story originally appeared on thehackernews.