{ "id": "7443ba86-7941-4276-b8f5-167ed2557bbc", "created_at": "2026-04-06T00:13:55.416963Z", "updated_at": "2026-04-10T13:11:34.441193Z", "deleted_at": null, "sha1_hash": "01e93286a5fa00c2908b75b568d2ca481c6eb7c2", "title": "New Surveillanceware in Google Play Targeting Middle East", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6018046, "plain_text": "New Surveillanceware in Google Play Targeting Middle East\r\nBy Lookout\r\nPublished: 2018-04-16 · Archived: 2026-04-05 15:29:19 UTC\r\nLookout researchers have identified a new, highly targeted surveillanceware family known as Desert Scorpion in\r\nthe Google Play Store. Lookout notified Google of the finding and Google removed the app immediately while\r\nalso taking action on it in Google Play Protect. The app ties together two malware families - Desert Scorpion and\r\nanother targeted surveillanceware family named FrozenCell - that we believe are being developed by a single,\r\nevolving surveillanceware actor called APT-C-23 targeting individuals in the Middle East.\r\nWe've seen this actor rely heavily on phishing campaigns to trick victims into downloading their malicious apps,\r\nspecifically on Facebook. Even sophisticated actors are using lower cost, less technologically impressive means\r\nlike phishing to spread their malware because it's cheap and very effective, especially on mobile devices where\r\nthere are more ways to interact with a victim (messaging apps, social media apps, etc.), and less screen real estate\r\nfor victims to identify potential indicators of a threat.\r\nLookout customers are protected against this threat and additionally we have included a list of IOCs at the end of\r\nthis report.\r\nhttps://blog.lookout.com/desert-scorpion-google-play\r\nPage 1 of 9\n\nhttps://blog.lookout.com/desert-scorpion-google-play\r\nPage 2 of 9\n\nThe Dardesh app associated with Desert Scorpion.\r\nThe potential actor and who they target\r\nOur current analysis strongly suggests Desert Scorpion is being deployed in targeted attacks against Middle\r\nEastern individuals of interest specifically those in Palestine and has also been highlighted by other researchers.\r\nWe have been able to tie the malware to a long-running Facebook profile that we observed promoting the first\r\nstage of this family, a malicious chat application called Dardesh via links to Google Play. The Lookout Threat\r\nIntelligence team identified that this same Facebook profile has also posted Google Drive links to Android\r\nmalware belonging to the FrozenCell family attributed to APT-C-27. These factors, in combination with the fact\r\nthat the command and control infrastructure used by Frozen Cell and Desert Scorpion resides in similar IP blocks,\r\nsupports the theory that the same actor is responsible for operating, if not developing, both families.\r\nhttps://blog.lookout.com/desert-scorpion-google-play\r\nPage 3 of 9\n\nhttps://blog.lookout.com/desert-scorpion-google-play\r\nPage 4 of 9\n\nWhat it does\r\nThe surveillance functionality of Desert Scorpion resides in a second stage payload that can only be downloaded if\r\nthe victim has downloaded, installed, and interacted with the first-stage chat application. The chat application acts\r\nas a dropper for this second-stage payload app. At the time of writing Lookout has observed two updates to the\r\nDardesh application, the first on February 26 and the second on March 28. The malicious capabilities observed in\r\nthe second stage include the following:\r\nUpload attacker-specified files to C2 servers\r\nGet list of installed applications\r\nGet device metadata\r\nInspect itself to get a list of launchable activities\r\nRetrieves PDF, txt, doc, xls, xlsx, ppt, pptx files found on external storage\r\nSend SMS\r\nRetrieve text messages\r\nhttps://blog.lookout.com/desert-scorpion-google-play\r\nPage 5 of 9\n\nTrack device location\r\nHandle limited attacker commands via out of band text messages\r\nRecord surrounding audio\r\nRecord calls\r\nRecord video\r\nRetrieve account information such as email addresses\r\nRetrieve contacts\r\nRemoves copies of itself if any additional APKs are downloaded to external storage.\r\nCall an attacker-specified number\r\nUninstall apps\r\nCheck if a device is rooted\r\nHide its icon\r\nRetrieve list of files on external storage\r\nIf running on a Huawei device it will attempt to add itself to the protected list of apps able to run with the\r\nscreen off\r\nEncrypts some exfiltrated data\r\nDesert Scorpion's second stage masquerades as a generic \"settings\" application. Curiously, several of these have\r\nincluded the world \"Fateh\" in their package name, which may be referring to the Fatah political party. Such\r\nreferences would be in line with FrozenCell's phishing tactics in which they used file names to lure people\r\nassociated with the political party to open malicious documents. Desert Scorpion's second stage is capable of\r\ninstalling another non-malicious application (included in the second stage) which is highly specific to the Fatah\r\npolitical party and supports the targeting theory.\r\nhttps://blog.lookout.com/desert-scorpion-google-play\r\nPage 6 of 9\n\nhttps://blog.lookout.com/desert-scorpion-google-play\r\nPage 7 of 9\n\nThe Lookout Threat Intelligence team is increasingly seeing the same tradecraft, tactics, and procedures that APT-C-23 favors being used by other actors. The approach of separating malicious functionality out into separate\r\nstages that are later downloaded during execution and not present in the initial app published to the Google Play\r\nStore, combined with social engineering delivered via social media platforms like Facebook, requires minimal\r\ninvestment in comparison to premium tooling like Pegasus or FinFisher. As we've seen with actors like Dark\r\nCaracal, this low cost, low sophistication approach that relies heavily upon social engineering has still been shown\r\nto be highly successful for those operating such campaigns. Given previous operational security errors from this\r\nactor in the past which resulted in exfiltrated content being publicly accessible Lookout Threat Intelligence is\r\ncontinuing to map out infrastructure and closely monitor their continued evolution.\r\nAndrew Blaich\r\nHead of Device Intelligence\r\nAndrew Blaich is Head of Device Intelligence at Lookout where he is focused on mobile threat hunting and\r\nvulnerability research. Prior to Lookout, Andrew was the Lead Security Analyst at Bluebox Security. He holds a\r\nPh.D. in computer science, and engineering from the University of Notre Dame in enterprise security and wireless\r\nhttps://blog.lookout.com/desert-scorpion-google-play\r\nPage 8 of 9\n\nnetworking. In the past Andrew has worked at both Samsung and Qualcomm Research. Andrew is a regular\r\npresenter at security conferences including BlackHat, RSA, Kaspersky SAS, SecTor, SANS DFIR, Interop, and\r\nACSC. In his free time he loves to run and hack on IoT.\r\nMichael Flossman\r\nHead of Threat Intelligence\r\nMichael is Head of Threat Intelligence at Lookout where he works on reverse engineering sophisticated mobile\r\nthreats while tracking their evolution, the campaigns they are used in, and the actors behind them. He has hands-on experience in vulnerability research, incident response, security assessments, pen-testing, reverse engineering\r\nand the prototyping of automated analysis solutions. When not analysing malware there’s a good chance he’s off\r\nsnowboarding, diving, or looking for flaws in popular mobile apps.\r\nSource: https://blog.lookout.com/desert-scorpion-google-play\r\nhttps://blog.lookout.com/desert-scorpion-google-play\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.lookout.com/desert-scorpion-google-play" ], "report_names": [ "desert-scorpion-google-play" ], "threat_actors": [ { "id": "8de10e16-817c-4907-bd98-b64cf4a3e77b", "created_at": "2022-10-25T15:50:23.552766Z", "updated_at": "2026-04-10T02:00:05.362919Z", "deleted_at": null, "main_name": "Dark Caracal", "aliases": [ "Dark Caracal" ], "source_name": "MITRE:Dark Caracal", "tools": [ "FinFisher", "CrossRAT", "Bandook" ], "source_id": "MITRE", "reports": null }, { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "c2cc9aa5-1853-4de1-8849-cb3f28c7728e", "created_at": "2022-10-25T16:07:24.256045Z", "updated_at": "2026-04-10T02:00:04.912815Z", "deleted_at": null, "main_name": "Goldmouse", "aliases": [ "APT-C-27", "ATK 80", "Golden Rat", "Goldmouse" ], "source_name": "ETDA:Goldmouse", "tools": [ "Bladabindi", "GoldenRAT", "Jorik", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "2c385a7d-0217-46d8-a451-29ac6fe58aaf", "created_at": "2023-01-06T13:46:38.937468Z", "updated_at": "2026-04-10T02:00:03.151838Z", "deleted_at": null, "main_name": "APT-C-27", "aliases": [ "Golden RAT", "ATK80", "GoldMouse" ], "source_name": "MISPGALAXY:APT-C-27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null }, { "id": "4a62c0be-1583-4d82-8f91-46e3a1c114e6", "created_at": "2023-01-06T13:46:38.73639Z", "updated_at": "2026-04-10T02:00:03.083265Z", "deleted_at": null, "main_name": "Dark Caracal", "aliases": [ "G0070" ], "source_name": "MISPGALAXY:Dark Caracal", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "af704c54-a580-4c29-95f2-82db06fbb6f9", "created_at": "2022-10-25T16:07:23.525064Z", "updated_at": "2026-04-10T02:00:04.64019Z", "deleted_at": null, "main_name": "Dark Caracal", "aliases": [ "ATK 27", "G0070", "Operation Dark Caracal", "TAG-CT3" ], "source_name": "ETDA:Dark Caracal", "tools": [ "Bandok", "Bandook", "CrossRAT", "FinFisher", "FinFisher RAT", "FinSpy", "Pallas", "Trupto" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434435, "ts_updated_at": 1775826694, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/01e93286a5fa00c2908b75b568d2ca481c6eb7c2.pdf", "text": "https://archive.orkl.eu/01e93286a5fa00c2908b75b568d2ca481c6eb7c2.txt", "img": "https://archive.orkl.eu/01e93286a5fa00c2908b75b568d2ca481c6eb7c2.jpg" } }