Security News > 2020 > December > Iranian RANA Android Malware Also Spies On Instant Messengers
A team of researchers today unveiled previously undisclosed capabilities of an Android spyware implant-developed by a sanctioned Iranian threat actor-that could let attackers spy on private chats from popular instant messaging apps, force Wi-Fi connections, and auto-answer calls from specific numbers for purposes of eavesdropping on conversations.
In September, the US Department of the Treasury imposed sanctions on APT39 - an Iranian threat actor backed by the country's Ministry of Intelligence and Security - for carrying out malware campaigns targeting Iranian dissidents, journalists, and international companies in the telecom and travel sectors.
Formally linking the operations of APT39 to Rana, the FBI detailed eight separate and distinct sets of previously undisclosed malware used by the group to conduct their computer intrusion and reconnaissance activities, including an Android spyware app called "Optimizer.apk" with information-stealing and remote access capabilities.
"The APK implant had information stealing and remote access functionality which gained root access on an Android device without the user's knowledge," the agency stated.
Besides featuring support for receiving commands sent via SMS messages, the latest variant of "Optimizer" malware referenced by the FBI abused accessibility services to access contents of instant messaging applications such as WhatsApp, Instagram, Telegram, Viber, Skype, and an unofficial Iran-based Telegram client called Talaeii.
News URL
Related news
- Android malware "FakeCall" now reroutes bank calls to attackers (source)
- New FakeCall Malware Variant Hijacks Android Devices for Fraudulent Banking Calls (source)
- New Android Banking Malware 'ToxicPanda' Targets Users with Fraudulent Money Transfers (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Cyber crooks push Android malware via letter (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)
- SpyLoan Android malware on Google play installed 8 million times (source)
- 8 Million Android Users Hit by SpyLoan Malware in Loan Apps on Google Play (source)
- New DroidBot Android banking malware spreads across Europe (source)
- New DroidBot Android malware targets 77 banking, crypto apps (source)