{ "id": "77b2e240-98c5-4f8e-ad48-dfa6f4ea6643", "created_at": "2026-04-06T00:14:14.131325Z", "updated_at": "2026-04-10T03:32:04.925607Z", "deleted_at": null, "sha1_hash": "57d854291be5afd32de86dc5fb670c2ee511ac66", "title": "APT-C-23 group evolves its Android spyware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3380806, "plain_text": "APT-C-23 group evolves its Android spyware\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 21:17:43 UTC\r\nWe have discovered a previously unreported version of Android spyware used by APT-C-23, a threat group also\r\nknown as Two-tailed Scorpion and mainly targeting the Middle East. ESET products detect the malware as\r\nAndroid/SpyC23.A.\r\nThe APT-C-23 group is known to have used both Windows and Android components in its operations, with the\r\nAndroid components first described in 2017. In the same year, multiple analyses of APT-C-23’s mobile malware\r\nwere published.\r\nCompared to the versions documented in 2017, Android/SpyC23.A has extended spying functionality, including\r\nreading notifications from messaging apps, call recording and screen recording, and new stealth features, such as\r\ndismissing notifications from built-in Android security apps. One of the ways the spyware is distributed is via a\r\nfake Android app store, using well-known apps as a lure.\r\nTimeline and discovery\r\nThe group’s activities were first described by Qihoo 360 Technology in March 2017 under the name Two-tailed\r\nScorpion. In the same year, Palo Alto Networks, Lookout and Trend Micro described other versions of the mobile\r\nmalware, naming them VAMP, FrozenCell and GnatSpy, respectively. Lookout published an analysis of another\r\nversion of the malware, named Desert Scorpion, in April 2018, and at the beginning of 2020, Check Point\r\nResearch reported new mobile malware attacks attributed to the APT-C-23 group.\r\nIn April 2020, @malwrhunterteam tweeted about a new Android malware sample. According to the VirusTotal\r\nservice, no security vendor besides ESET detected the sample at the time. In cooperation with\r\n@malwrhunterteam, we recognized the malware to be part of the APT-C-23 arsenal.\r\nhttps://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/\r\nPage 1 of 14\n\nFigure 1. VirusTotal detection rate for one of the newly discovered samples\r\nIn June, 2020, @malwrhunterteam tweeted about another little-detected Android malware sample, which turned\r\nout to be connected to the sample from April. A deeper analysis showed that both the April and June discoveries\r\nwere both variants of the same new Android malware used by the APT-C-23 group.\r\nFigure 2 shows the timeline of these events.\r\nFigure 2. Timeline of previously documented APT-C-23 mobile malware and ESET’s 2020 investigation\r\nDistribution\r\nThanks to information from @malwrhunterteam, we identified a fake Android app store used to distribute the\r\nmalware. At the time of analysis, the “DigitalApps” store, pictured in Figure 3, contained both malicious and clean\r\nitems. The non-malicious items would redirect users to another unofficial Android app store, serving legitimate\r\napps. The malware was hidden in apps posing as AndroidUpdate, Threema and Telegram. The latter two of these\r\nlures also downloaded the impersonated apps with full functionality along with the malware. This mechanism is\r\ndescribed in detail in the Functionality section.\r\nhttps://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/\r\nPage 2 of 14\n\nFigure 3. The fake app store serving APT-C-23 spyware\r\nInterestingly, the downloads were limited by needing to enter a six-digit coupon code, as seen in Figure 4. This\r\nmay be a way to prevent those not targeted by the group from installing the malware, and hence keep a lower\r\nprofile. Although we didn’t have a coupon code, downloading the app wasn’t such a problem – all that was needed\r\nwas to append “/download” to the URL.\r\nhttps://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/\r\nPage 3 of 14\n\nFigure 4. The fake app store requiring a coupon code for downloading malware\r\nThis fake app store is likely just one of the distribution methods used by the threat group. Our telemetry from\r\n2020 showed samples impersonating apps that were not a part of this fake app store.\r\nESET telemetry data\r\nAccording to ESET telemetry and VirusTotal data, Android/SpyC23.A has been in the wild since May 2019.\r\nIn June 2020, ESET systems blocked this spyware on client devices in Israel. The detected malware samples were\r\ndisguised as the messaging app “WeMessage”, shown in Figure 5.\r\nWhile there is a legitimate messaging app called weMessage on Google Play, as seen in Figure 6, the malicious\r\napp uses entirely different graphics and doesn’t seem to impersonate the legitimate app other than by\r\nappropriating its name. In our research, we haven’t found another app using the same or similar interface as the\r\nmalicious WeMessage app, so it’s possible that the attackers created custom graphics.\r\nWe don’t know how this particular version of the spyware was distributed – the malicious WeMessage app wasn’t\r\noffered in the aforementioned fake app store.\r\nhttps://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/\r\nPage 4 of 14\n\nFigure 5. Graphics used by the malicious WeMessage app\r\nhttps://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/\r\nPage 5 of 14\n\nFigure 6. The legitimate weMessage app on Google Play\r\nFunctionality\r\nBased on our research, the malware mainly impersonates messaging apps. The attackers might have chosen this\r\nguise to justify the various permissions requested by the malware.\r\nInstallation and permissions\r\nhttps://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/\r\nPage 6 of 14\n\nBefore installation, Android/SpyC23.A requests a number of invasive permissions, including taking pictures and\r\nvideos, recording audio, reading and modifying contacts, and reading and sending SMS.\r\nAfter installation, the malware requests a series of additional, sensitive permissions, using social engineering-like\r\ntechniques to fool technically inexperienced users. These additional permission requests are disguised as security\r\nand privacy features:\r\nUnder the guise of “Messages Encryption”, the app requests permission to read the user’s notifications\r\nUnder the guise of “Private Messages”, the app requests permission to turn off Play Protect\r\nUnder the guise of “Private Video Chat”, the app requests permission to record the user’s screen\r\nThese steps are shown in the video below.\r\nhttps://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/\r\nPage 7 of 14\n\n0:00 / 0:46\r\nhttps://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/\r\nPage 8 of 14\n\nAfter the malware is initialized, in most cases, victims are requested to manually install the legitimate app used as\r\na lure (e.g. Threema), which is stored in the malware’s resources. While the legitimate app is being installed, the\r\nmalware hides its presence on the affected device. This way, the victims end up with a functioning app they\r\nintended to download and spyware silently running in the background. In some cases (e.g. WeMessage,\r\nAndroidUpdate) the downloaded apps did not have any real functionality, and only served as bait for installing the\r\nspyware.\r\nWhen first launched, the malware starts to communicate with its Command and Control (C\u0026C) server. It registers\r\nthe new victim and sends the victim’s device information to the C\u0026C.\r\nCapabilities\r\nBased on the commands received, Android/SpyC23.A can perform the following actions:\r\nTake pictures\r\nRecord audio\r\nRestart Wi-Fi\r\nExfiltrate call logs\r\nExfiltrate all SMS messages\r\nExfiltrate all contacts\r\nDownload files to device\r\nDelete files from device\r\nSteal files with particular extensions (pdf, doc, docx, ppt, pptx, xls, xlsx, txt, text, jpg, jpeg, png)\r\nUninstall any app installed on the device\r\nSteal APK installers of apps installed on device\r\nHide its icon\r\nGet credit balance of SIM on device (it can get a balance by making a call to three different cellular\r\noperators: Jawwal, Wataniya, Etisalat)\r\nThe following features are new in Android/SpyC23.A compared to the previously documented versions:\r\nRecord screen and take screenshots\r\nRecord incoming and outgoing calls in WhatsApp\r\nMake a call while creating a black screen overlay activity (to hide call activity)\r\nRead text of notifications from selected messaging and social media apps: WhatsApp, Facebook, Telegram,\r\nInstagram, Skype, Messenger, Viber, imo\r\nDismiss notifications from built-in security apps on some Android devices:\r\nSecurityLogAgent notifications on Samsung devices (package name contains “securitylogagent”)\r\nSamsung notifications (package name contains “samsung.android”)\r\nMIUI Security notifications on Xiaomi devices (package name contains “com.miui.securitycenter”)\r\nPhone Manager on Huawei devices (package name contains “huawei.systemmanager”)\r\nhttps://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/\r\nPage 9 of 14\n\nDismiss its own notifications (an unusual feature, possibly used in case of errors or warnings displayed by\r\nthe malware)\r\nC\u0026C communication\r\nBesides spying capabilities, the malware’s C\u0026C communication has also undergone an update. In older versions,\r\nthe C\u0026C in use was hardcoded and either available in plain text or trivially obfuscated, and thus easier to identify.\r\nIn the updated version, the C\u0026C is well hidden using various techniques and can be remotely changed by the\r\nattacker.\r\nIn this section, we will describe how Android/SpyC23.A retrieves its C\u0026C server.\r\nThe malware uses a native library with three functions. Two of them return opening and closing HTML tags for\r\nthe title and the third one returns an encrypted string.\r\nFigure 7. Returned strings from the native library\r\nThe encrypted string serves two purposes: the first part – before the hyphen (“-”) – is used as part of the password\r\nto encrypt files extracted from the affected device. The second part is first decoded (base64) and then decrypted\r\n(AES). The decrypted string might, for example, suggest a Facebook profile page for the C\u0026C, but it is still\r\nobfuscated.\r\nFigure 8. Decrypted but still obfuscated URL\r\nSome of the substrings in this string are replaced based on a simple substitution table and then the domain part of\r\nthe apparent URL is replaced.\r\nFigure 9. Decrypted and deobfuscated URL\r\nFrom this URL, the malware parses the HTML for its title tag.\r\nhttps://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/\r\nPage 10 of 14\n\nFigure 10. Parsing website title to retrieve the C\u0026C server\r\nThe last step is to replace the first space with a dash and the second one with a dot. With that, obtaining the C\u0026C\r\nis done. Such a process allows the malware operators to change their C\u0026C server dynamically.\r\nFigure 11. C\u0026C communication\r\nThe malware’s live C\u0026C servers typically pose as websites under maintenance, all using the same logo, shown in\r\nFigure 12.\r\nhttps://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/\r\nPage 11 of 14\n\nFigure 12. The malware’s C\u0026C server\r\nConclusion\r\nOur research shows that the APT-C-23 group is still active, enhancing its mobile toolset and running new\r\noperations. Android/SpyC23.A – the group’s newest spyware version – features several improvements making it\r\nmore dangerous to victims.\r\nTo prevent falling victim to spyware, we advise Android users to only install apps from the official Google Play\r\nStore. In cases where privacy concerns, access issues or other restrictions prevent users from following this\r\nadvice, users should take extra care when downloading apps from unofficial sources. We recommend scrutinizing\r\nthe app’s developer, double-checking the permissions requested, and using a trustworthy and up-to-date mobile\r\nsecurity solution.\r\nFor any inquiries, contact us at threatintel@eset.com.\r\nIndicators of Compromise (IoCs)\r\nESET detection name\r\nAndroid/SpyC23.A\r\nhttps://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/\r\nPage 12 of 14\n\nHashes\r\n9e78e0647e56374cf9f429dc3ce412171d0b999e\r\n344f1a9dc7f8abd88d1c94f4323646829d80c555\r\n56f321518401528278e0e79fac8c12a57d9fa545\r\n9e1399fede12ce876cdb7c6fdc2742c75b1add9a\r\n6f251160c9b08f56681ea9256f8ecf3c3bcc66f8\r\n91c12c134d4943654af5d6c23043e9962cff83c2\r\n78dd3c98a2074a8d7b5d74030a170f5a1b0b57d4\r\n1c89cea8953f5f72339b14716cef2bd11c7ecf9a\r\ne79849c9d3dc87ff6820c3f08ab90e6aeb9cc216\r\nC\u0026Cs\r\nhttps://linda-gaytan[.]website\r\nhttps://cecilia-gilbert[.]com\r\nhttps://david-gardiner[.]website\r\nhttps://javan-demsky[.]website\r\nDistribution URL\r\nhttps://digital-apps[.]store\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 7 of the ATT\u0026CK framework.\r\nTactic ID Name Description\r\nInitial Access\r\nT1444\r\nMasquerade as\r\nLegitimate\r\nApplication\r\nAndroid/SpyC23.A impersonates a legitimate chat\r\napplication.\r\nT1476\r\nDeliver Malicious\r\nApp via Other\r\nMeans\r\nSpyC23.A can be downloaded from a malicious\r\nalternative app store.\r\nExecution T1575 Native Code\r\nSpyC23.A uses a native method to retrieve an encrypted\r\nstring to obtain its C\u0026C.\r\nPersistence T1402 Broadcast Receivers\r\nSpyC23.A listens for the BOOT_COMPLETED\r\nbroadcast, ensuring that the app's functionality will be\r\nactivated every time the device starts.\r\nDefense\r\nEvasion\r\nT1508\r\nSuppress\r\nApplication Icon\r\nSpyC23.A hides its icon.\r\nhttps://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/\r\nPage 13 of 14\n\nTactic ID Name Description\r\nDiscovery\r\nT1418\r\nApplication\r\nDiscovery\r\nSpyC23.A retrieves a list of installed apps.\r\nT1420\r\nFile and Directory\r\nDiscovery\r\nSpyC23.A retrieves the content of the external storage\r\ndirectory.\r\nT1426\r\nSystem Information\r\nDiscovery\r\nSpyC23.A retrieves details about the device.\r\nCollection\r\nT1433 Access Call Log SpyC23.A exfiltrates call log history.\r\nT1432 Access Contact List SpyC23.A exfiltrates the victim’s contact list.\r\nT1517 Access Notifications\r\nSpyC23.A exfiltrates messages from messaging and\r\nsocial media apps.\r\nT1429 Capture Audio SpyC23.A can record surroundings and calls.\r\nT1512 Capture Camera\r\nSpyC23.A can take pictures from the front or rear\r\ncameras.\r\nT1412\r\nCapture SMS\r\nMessages\r\nSpyC23.A can exfiltrate sent and received SMS\r\nmessages.\r\nT1533\r\nData from Local\r\nSystem\r\nSpyC23.A steals files with particular extensions from\r\nexternal media.\r\nT1513 Screen Capture SpyC23.A can take screenshots.\r\nCommand and\r\nControl\r\nT1438\r\nAlternative Network\r\nMediums\r\nSpyC23.A can use SMS to receive C\u0026C messages.\r\nT1437\r\nStandard\r\nApplication Layer\r\nProtocol\r\nSpyC23.A communicates with C\u0026C using HTTPS and\r\nFirebase Cloud Messaging (FCM).\r\nT1544 Remote File Copy SpyC23.A can download attacker-specified files.\r\nExfiltration T1532 Data Encrypted\r\nExtracted data is transmitted in password-protected ZIP\r\nfiles.\r\nImpact T1447 Delete Device Data\r\nSpyC23.A can delete attacker-specified files from the\r\ndevice.\r\nSource: https://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/\r\nhttps://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" ], "report_names": [ "aptc23-group-evolves-its-android-spyware" ], "threat_actors": [ { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434454, "ts_updated_at": 1775791924, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/57d854291be5afd32de86dc5fb670c2ee511ac66.pdf", "text": "https://archive.orkl.eu/57d854291be5afd32de86dc5fb670c2ee511ac66.txt", "img": "https://archive.orkl.eu/57d854291be5afd32de86dc5fb670c2ee511ac66.jpg" } }