While the Iranian threat actors are backed by the country's Ministry of Intelligence and Security (MOIS) for espionage campaigns that target dissidents, Iranian journalists, and international organizations in the telecom and travel sectors. They employ such tactics as auto-answer calls and forced Wi-Fi connections, targeted at specific numbers for purposes of eavesdropping on conversations.
According to the FBI, the RANA Intelligence Computing Company, also known as RANA Corp, which is a Ministry of Intelligence and Security (MOIS) front company in Tehran, Iran that carry out these malicious cyber activities. The group is known in the cybersecurity circle as APT39, Chafer, Remexi, Cadelspy, and ITG07.
How the FBI traced APT39 operations to RANA?
The Federal Bureau of Investigation (FBI) traces eight distinct sets of previously undisclosed malware that were employed by the APT group to conduct intrusion and reconnaissance activities, including the Android spyware app called "optimizer.apk" which posseses data-stealing and remote access capabilities.
Also, the capabilities include retrieving HTTP GET requests from the Control-and-command (C2) server, stealing device data, AES-encrypting the collected data, and sending data via HTTP POST requests to their malicious C2 server.
And the APK implant comes with data stealing and remote access which also gains root access on Android devices without the users' approval or knowledge.
Measures to safeguard Your Android Device against such Malware Attacks
Android remains the leading mobile operating system, with the biggest share of the global smartphone market, and it's no surprise that it is also the main target of several malware actors.
Therefore, it behoves Android users to ensure that their devices software are up-to-date and that they scrutinize every applications before installation and also make sure all applications are downloaded from the Google Play Store.