Skip to content

S1195 SpyC23

SpyC23 is a mobile malware that has been used by APT-C-23 since at least 2017. SpyC23 has been observed primarily targeting Android devices in the Middle East.3

There are multiple close variants of SpyC23, such as VAMP1, GnatSpy2, Desert Scorpion and FrozenCell, which add some additional functionality but are not significantly different from the original malware.

Item Value
ID S1195
Associated Names
Type MALWARE
Version 1.0
Created 26 March 2024
Last Modified 19 February 2025
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1517 Access Notifications SpyC23 reads notifications from applications and connected wearables.3645
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols SpyC23 can communicate with the Command and Control server using HTTPS and Firebase Cloud Messaging (FCM).36
mobile T1429 Audio Capture SpyC23 can record phone calls and audio.36457
mobile T1616 Call Control SpyC23 can make phone calls.34
mobile T1533 Data from Local System SpyC23 can collect and exfiltrate files with specific extensions, such as .pdf, doc.3
mobile T1624 Event Triggered Execution -
mobile T1624.001 Broadcast Receivers SpyC23 listens for the BOOT_COMPLETED broadcast to activate malware.3
mobile T1628 Hide Artifacts -
mobile T1628.001 Suppress Application Icon SpyC23 can hide its icon.3
mobile T1628.002 User Evasion SpyC23 has used blank screen overlays to hide malicious activity from the user.3
mobile T1629 Impair Defenses -
mobile T1629.003 Disable or Modify Tools SpyC23 has disabled play protect.3
mobile T1544 Ingress Tool Transfer SpyC23 can download more malware to the victim device.384
mobile T1430 Location Tracking SpyC23 can access the device’s location.4
mobile T1655 Masquerading -
mobile T1655.001 Match Legitimate Name or Location SpyC23 has masqueraded as legitimate messaging applications.386457
mobile T1406 Obfuscated Files or Information SpyC23 has used obfuscation techniques to hide its hardcoded C2 address.3
mobile T1644 Out of Band Data SpyC23 can receive Command and Control commands from SMS messages.3
mobile T1636 Protected User Data -
mobile T1636.002 Call Log SpyC23 can exfiltrate the call log.7
mobile T1636.003 Contact List SpyC23 can exfiltrate the victim device’s contact list.367
mobile T1636.004 SMS Messages SpyC23 can read and exfiltrate SMS messages.367
mobile T1513 Screen Capture SpyC23 can take record and take screenshots of the victim device.36
mobile T1582 SMS Control SpyC23 can send SMS messages.3
mobile T1512 Video Capture SpyC23 can capture pictures and videos.367
mobile T1633 Virtualization/Sandbox Evasion SpyC23 has obfuscated code and anti-virtualization techniques to hinder analysis.4

Groups That Use This Software

ID Name References
G1028 APT-C-23 3986

References

  1. Bar, T., Lancaster, T. (2017, April 5). Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA. Retrieved March 4, 2024. 

  2. Guo, G., Xu, E. (2017, December 18). New GnatSpy Mobile Malware Family Discovered. Retrieved March 4, 2024. 

  3. Stefanko, L. (2020, September 30). APT‑C‑23 group evolves its Android spyware. Retrieved March 4, 2024. 

  4. Delamotte, A. (2023, November 6). Arid Viper | APT’s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024. 

  5. Cyware. (2020, October 2). APT‑C‑23 is Still Active and Enhancing its Mobile Spying Capabilities. Retrieved December 2, 2024. 

  6. Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024. 

  7. O’Donnell, L. (2020, September 30). Android Spyware Variant Snoops on WhatsApp, Telegram Messages. Retrieved January 10, 2025. 

  8. CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024. 

  9. Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.