S0577 FrozenCell
FrozenCell is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and Micropsia.3
There are multiple close variants of FrozenCell, such as VAMP1, GnatSpy2, Desert Scorpion and SpyC23, which add some additional functionality but are not significantly different from the original malware.
| Item | Value |
|---|---|
| ID | S0577 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 17 February 2021 |
| Last Modified | 19 February 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1532 | Archive Collected Data | FrozenCell has compressed and encrypted data before exfiltration using password protected .7z archives.3 |
| mobile | T1429 | Audio Capture | FrozenCell has recorded calls.3 |
| mobile | T1533 | Data from Local System | FrozenCell has retrieved device images for exfiltration.3 |
| mobile | T1407 | Download New Code at Runtime | FrozenCell has downloaded and installed additional applications.3 |
| mobile | T1420 | File and Directory Discovery | FrozenCell has searched for pdf, doc, docx, ppt, pptx, xls, and xlsx file types for exfiltration.3 |
| mobile | T1430 | Location Tracking | FrozenCell has used an online cell tower geolocation service to track targets.3 |
| mobile | T1655 | Masquerading | - |
| mobile | T1655.001 | Match Legitimate Name or Location | FrozenCell has masqueraded as fake updates to chat applications such as Facebook, WhatsApp, Messenger, LINE, and LoveChat, as well as apps targeting Middle Eastern demographics.3 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.004 | SMS Messages | FrozenCell has read SMS messages for exfiltration.3 |
| mobile | T1409 | Stored Application Data | FrozenCell has retrieved account information for other applications.3 |
| mobile | T1426 | System Information Discovery | FrozenCell has gathered the device manufacturer, model, and serial number.3 |
| mobile | T1422 | System Network Configuration Discovery | FrozenCell has collected phone metadata such as cell location, mobile country code (MCC), and mobile network code (MNC).3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1028 | APT-C-23 | - |
References
-
Bar, T., Lancaster, T. (2017, April 5). Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA. Retrieved March 4, 2024. ↩
-
Guo, G., Xu, E. (2017, December 18). New GnatSpy Mobile Malware Family Discovered. Retrieved March 4, 2024. ↩
-
Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩