Iranian gang APT42 uses custom Android spyware in attacks

September 13, 2022
Iranian Hacker Gang APT42 Custom Android Spyware Cyberattacks

Security researchers have recently spotted a state-backed threat group from Iran, APT42, that uses custom Android spyware to perform surveillance on victims and steal data for intelligence.

The threat group’s initial campaigns reach back to 2015, with operations involving spear-phishing attacks against their targets, including government institutions, law enforcement agencies, journalists, academics, and Iranian protesters.

 

APT42 uses custom Android spyware in their campaigns to track victims’ activities, access their devices, and steal important data.

 

Once the malware has accessed the victims’ device, it will begin collecting communication data such as text messages, call logs, and audio recordings. Moreover, the malware can also take photos, activate the microphone, record active phone calls, and track GPS locations.

Based on investigations, this custom Android spyware is spread through SMS phishing campaigns (smishing). The malicious messages contain links that redirect the targets to a messaging or a VPN app, which can supposedly aid them in bypassing restrictions from the government.

With the help of the custom Android spyware, the threat group could collect highly-confidential material and intelligence from their targets of interest, including movements, plans, personal information, and contacts.

Aside from Android mobile devices, the Iranian gang also has custom malware for Windows, with the same goal of spying on victims and collecting sensitive information.

Since 2015, APT42 has been actively deploying campaigns, with reports of attacks in at least 14 countries within 30 separate operations. Although researchers believe these reports were only a fraction of the group’s entire activities that only surfaced due to some slip-ups in their anti-detection strategies.

Some of the notable victims of the threat group include a vaccinologist at Oxford University, foreign pharmaceuticals, and political science instructors from the UAE and Belgium.

Through observations, security experts have also underlined an association between the attack tactics of APT42 and ransomware activities using the BitLocker malware strain. Furthermore, the researchers also see the connection between the threat group and APT35 since they are both connected with the Islamic Revolutionary Guard Corps (IRGC) – an organisation that the US labelled a group of terrorists.

About the author