1. Home
  2. Software
  3. SpyC23

SpyC23

SpyC23 is a mobile malware that has been used by APT-C-23 since at least 2017. SpyC23 has been observed primarily targeting Android devices in the Middle East.[1]

There are multiple close variants of SpyC23, such as VAMP[2], GnatSpy[3], Desert Scorpion and FrozenCell, which add some additional functionality but are not significantly different from the original malware.

ID: S1195
Type: MALWARE
Platforms: Android
Contributors: Sittikorn Sangrattanapitak
Version: 1.0
Created: 26 March 2024
Last Modified: 19 February 2025
Version Permalink
Mobile Layer
download view

Techniques Used

Domain ID Name Use
Mobile T1517 Access Notifications

SpyC23 reads notifications from applications and connected wearables.[1][4][5][6]
Mobile T1437 .001 Application Layer Protocol: Web Protocols

SpyC23 can communicate with the Command and Control server using HTTPS and Firebase Cloud Messaging (FCM).[1][4]

Mobile T1429 Audio Capture

SpyC23 can record phone calls and audio.[1][4][5][6][7]
Mobile T1616 Call Control

SpyC23 can make phone calls.[1][5]
Mobile T1533 Data from Local System

SpyC23 can collect and exfiltrate files with specific extensions, such as .pdf, doc.[1]

Mobile T1624 .001 Event Triggered Execution: Broadcast Receivers

SpyC23 listens for the BOOT_COMPLETED broadcast to activate malware.[1]

Mobile T1628 .001 Hide Artifacts: Suppress Application Icon

SpyC23 can hide its icon.[1]
.002 Hide Artifacts: User Evasion

SpyC23 has used blank screen overlays to hide malicious activity from the user.[1]
Mobile T1629 .003 Impair Defenses: Disable or Modify Tools

SpyC23 has disabled play protect.[1]
Mobile T1544 Ingress Tool Transfer

SpyC23 can download more malware to the victim device.[1][8][5]
Mobile T1430 Location Tracking

SpyC23 can access the device's location.[5]
Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

SpyC23 has masqueraded as legitimate messaging applications.[1][8][4][5][6][7]
Mobile T1406 Obfuscated Files or Information

SpyC23 has used obfuscation techniques to hide its hardcoded C2 address.[1]
Mobile T1644 Out of Band Data

SpyC23 can receive Command and Control commands from SMS messages.[1]
Mobile T1636 Protected User Data

SpyC23 can exfiltrate the call log.[7]
.003 Contact List

SpyC23 can exfiltrate the victim device’s contact list.[1][4][7]
.004 SMS Messages

SpyC23 can read and exfiltrate SMS messages.[1][4][7]
Mobile T1513 Screen Capture

SpyC23 can take record and take screenshots of the victim device.[1][4]

Mobile T1582 SMS Control

SpyC23 can send SMS messages.[1]
Mobile T1512 Video Capture

SpyC23 can capture pictures and videos.[1][4][7]
Mobile T1633 Virtualization/Sandbox Evasion

SpyC23 has obfuscated code and anti-virtualization techniques to hinder analysis.[5]

Groups That Use This Software

ID Name References
G1028 APT-C-23

[1][9][8][4]

References

  1. Stefanko, L. (2020, September 30). APT‑C‑23 group evolves its Android spyware. Retrieved March 4, 2024.
  2. Bar, T., Lancaster, T. (2017, April 5). Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA. Retrieved March 4, 2024.
  3. Guo, G., Xu, E. (2017, December 18). New GnatSpy Mobile Malware Family Discovered. Retrieved March 4, 2024.
  4. Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.
  5. Delamotte, A. (2023, November 6). Arid Viper | APT’s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024.
  1. Cyware. (2020, October 2). APT‑C‑23 is Still Active and Enhancing its Mobile Spying Capabilities. Retrieved December 2, 2024.
  2. O'Donnell, L. (2020, September 30). Android Spyware Variant Snoops on WhatsApp, Telegram Messages. Retrieved January 10, 2025.
  3. CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024.
  4. Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.