{
	"id": "e8970cee-d6c3-4275-ae35-a6ea5a92503c",
	"created_at": "2026-04-06T00:06:12.269274Z",
	"updated_at": "2026-04-10T03:32:04.890159Z",
	"deleted_at": null,
	"sha1_hash": "8b95aeb67228b784e8e0c9d2cb848e69bac4b95b",
	"title": "New GnatSpy Mobile Malware Family Discovered",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 79540,
	"plain_text": "New GnatSpy Mobile Malware Family Discovered\r\nBy By: Ecular Xu, Grey Guo Dec 18, 2017 Read time: 4 min (1122 words)\r\nPublished: 2017-12-18 · Archived: 2026-04-05 15:24:28 UTC\r\nEarlier this year researchers first disclosed a targeted attack campaign targeting various sectors in the Middle East.\r\nThis threat actor was called Two-tailed Scorpion/APT-C-23. Later on, a mobile component called VAMP was found,\r\nwith a new variant (dubbed FrozenCell) discovered in October. (We detect these malicious apps as\r\nANDROIDOS_STEALERC32).\r\nVAMP targeted various types of data from the phones of victims: images, text messages, contacts, and call history,\r\namong others. Dozens of command-and-control (C\u0026C) domains and samples were found, which were soon disabled\r\nor detected.\r\nRecently, Trend Micro researchers came across a new mobile malware family which we have called GnatSpy. We\r\nbelieve that this is a new variant of VAMP, indicating that the threat actors behind APT-C-23 are still active and\r\ncontinuously improving their product. Some C\u0026C domains from VAMP were reused in newer GnatSpy variants,\r\nindicating that these attacks are connected. We detect this new family as ANDROIDOS_GNATSPY.\r\nWe do not know for sure how these files were distributed to users. It is possible that threat actors sent them directly\r\nfor users to download and install on their devices. They had names like “Android Setting” or “Facebook Update” to\r\nmake users believe they were legitimate. We have not detected significant numbers of these apps in the wild,\r\nindicating their use is probably limited to specific targeted groups or individuals. \r\nNew capabilities of GnatSpy \r\nThe capabilities of GnatSpy are similar to early versions of VAMP. However, there have been some changes in its\r\nbehavior that highlight the increasing sophistication of this particular threat actor. \r\nApp structure organization – expanded and improved \r\nThe structure of the new GnatSpy variants is very different from previous variants. More receivers and services have\r\nbeen added, making this malware more capable and modular. We believe this indicates that GnatSpy was designed by\r\nsomeone with more knowledge in good software design practices compared to previous authors.\r\nintel\r\nintel\r\nFigures 1 and 2. Old and new receivers and services\r\nThe new code also makes much more use of Java annotations and reflection methods. We believe that this was done\r\nto evade attempts to detect these apps as malicious.\r\nintel intel\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-gnatspy-mobile-malware-family-discovered/\r\nPage 1 of 6\n\nFigures 3 and 4. Java annotations and reflection methods\r\nC\u0026C servers \r\nEarlier versions of VAMP contained the C\u0026C server used in simple plain text, making detection by static analysis\r\ntools an almost trivial affair.\r\nintel\r\nFigure 5. C\u0026C server in plaintext\r\nGnatSpy has changed this. The server is still hardcoded in the malicious app’s code, but is now encoded to evade\r\neasy detection:\r\nintel intel\r\nFigures 6 and 7. Obfuscated C\u0026C server\r\nA function call is in the code to obtain the actual C\u0026C URL:\r\nintel intel\r\nFigures 8 and 9. Function call to obtain C\u0026C server URL\r\nThe URL hardcoded in the malware is not the final C\u0026C server, however. Accessing the above URL merely sends\r\nback the location of the actual C\u0026C server:\r\nintel intel\r\nFigures 10 and 11. Request and response pair for C\u0026C server\r\nThe WHOIS information of the C\u0026C domains used now uses domain privacy to conceal the registrant's contact\r\ninformation.\r\nintel\r\nFigure 12. WHOIS information\r\nIt’s also worth noting that some of these C\u0026C domains are newly registered, highlighting that these attackers are still\r\nactive even though their activities have been reported:\r\nintel\r\nFigure 13. Newly registered C\u0026C domain\r\nThe domain names used are also curiously named. They used names of persons, but while some names appear to be\r\nthose of real persons (or plausibly real names), others appear to have been directly taken from various television\r\nshows. The rationale for using these names remains unclear.\r\nThe version of Apache used has also been updated, from 2.4.7 to 2.4.18. All domains now forbid directory indexing;\r\nin at least one earlier C\u0026C domain this was left enabled.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-gnatspy-mobile-malware-family-discovered/\r\nPage 2 of 6\n\nintel\r\nFigure 14. Directory indexing disabled\r\nWe note here that two of the C\u0026C domains we encountered - specifically, cecilia-gilbert[.]com and lagertha-lothbrok[.]info - were also reported to be connected to VAMP and FrozenCell, respectively. This indicates that the\r\nthreat actors behind GnatSpy are likely to be connected to these previous attacks, as well. \r\nIncreased compatibility and stolen information \r\nEarlier samples called the System Manager on Huawei devices to grant permissions to itself:\r\nintel\r\nFigure 15. Code calling app on Huawei devices\r\nA similar line was added for Xiaomi devices:\r\nintel\r\nFigure 16. Code calling app on Xiaomi devices\r\nGnatSpy also includes several function calls targeting newer Android versions (Marshmallow and Nougat):\r\nintel intel\r\nFigures 17 and 18. Code for Marshmallow and Nougat Android versions\r\nMore information about the device is stolen as well, including information about the battery, memory and storage\r\nusage, and SIM card status. Curiously, while previous samples collected information about the user’s location via\r\nOpenCellID, this is no longer done by GnatSpy. \r\nConclusion \r\nThreat actors can be remarkably persistent even if their activities have been exposed and documented by researchers.\r\nThis appears to be the case here. The threat actors behind GnatSpy are not only continuing their illicit activities, but\r\nthey are also improving the technical capabilities of their malware. \r\nTrend Micro™ Mobile Security for Androidproducts™ detects these malicious apps. End users and enterprises can\r\nalso benefit from its multilayered security capabilities that secure the device’s data and privacy, and safeguard them\r\nfrom ransomware, fraudulent websites, and identity theft.\r\nFor organizations, Trend Micro™ Mobile Security for Enterpriseproducts provides device, compliance and\r\napplication management, data protection, and configuration provisioning, as well as protects devices from attacks\r\nthat leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and\r\nfraudulent websites.\r\nTrend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and\r\nmachine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks, and\r\napplication vulnerability. \r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-gnatspy-mobile-malware-family-discovered/\r\nPage 3 of 6\n\nIndicators of Compromise \r\nApps/files with the following hashes are connected to GnatSpy:\r\nSHA256 Package Name Label\r\n14c846939641eb575f78fc8f1ecb2dc76979a5e08366e1809be24fad240f6ad6 com.app.voice Voice\r\n1b1bff4127c9f868f14bc8f2526358cfc9ff1259b7069ab116e7c52e43f2c669 com.messenger.hike\r\nAndroid\r\nSetting\r\n1c0e3895f264ac51e185045aa2bf38102da5b340eb3c3c3f6aacb7476c294d62 com.app.updates\r\nMessenger\r\nUpdate\r\n22078e0d00d6a0f0441b3777e6a418170e3a9e4cce8141f0da8af044fdc1e266 com.myapps.update\r\nFacebook\r\nUpdate\r\n232807513c2d3e97bfcc64372d360bd9f7b6b782bd4083e91f09f2882818c0c5 com.myapps.update\r\nWhatsApp\r\nUpdate\r\n313ae27ec66e533f7224d99c1a0c254272818d031456359d3dc85f02f21fd992 com.app.go\r\nAndroid\r\nSetting\r\n377716c6a2b73c94d3307e9f2ea1a5b3774fa42df452c0867e7384eb45422e4f com.apps.voice\r\nAndroid\r\nSetting\r\n3c604f5150ea1af994e7411e2816c277ff4f8a02b94d50b6cf4cc951430414bf com.appdev.update\r\nAndroid\r\nSystem\r\n4842cff6fc7a7a413ceed132f735eee3121ffb03f98453dae966f900e341dd52 com.updates.voice VoiceChat\r\n4e681d242bebf64bbba3f0da91ad109dd14f26e97cd62f306e9fca1603a0009e com.app.lets\r\nAndroid\r\nSetting\r\n544a1c303ef021f0d54e62a6147c7ae9cd0c84265e302f6da5ed08b616e45b78 com.myapps.update\r\nFacebook\r\nUpdate\r\n566385bff532d1eb26b49363b8d91ed6881f860ffa4b5ddb2bb5fe068bb6c87e com.app.lets\r\nAndroid\r\nSetting\r\n58ddd057ec7f2420ce94cf3fc52794d0f62603ca7eaf8c5911f55b8b100ac493 com.chatts.me Chat Me\r\n5de5b948aeca6e0811f9625dec48601133913c24e419ce99f75596cb04503141 com.fakebook\r\nApp\r\nSystem\r\nInstaller\r\n6b0325b7020f203d38664be732145c5f9f95fda875c81d136b031618900210a4 com.myapps.update\r\nMessenger\r\nUpdate\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-gnatspy-mobile-malware-family-discovered/\r\nPage 4 of 6\n\n6befd9dac5286f72516bba531371dc7769d9efecf56c8a44ce0c8de164662c6b com.app.go\r\nAndroid\r\nSetting\r\n76962d334b894349a512d8e533c8373b71389f1d20fd814cd8e7ecc89ed8530a com.messenger.hike\r\nAndroid\r\nSetting\r\n8da31d3102524d6a2906d1ffa1118edf39cf54d72456937bfbae5546e09a3c32 com.app.go\r\nAndroid\r\nSetting\r\n91b3eeb8ba6853cab5f2669267cf9bccdba389149cc8b2c32656af62bd016b04 com.facebookupdate\r\nFacebook\r\nUpdate\r\n93da08ced346b9958e34bda4fe41062572253472c762a3a837e0dd368fffec8b com.fakebook\r\nAndroid\r\nSettings\r\na841b71431e19df7e925d10a6e43a965fc68ccbb6523b447de82c516cfba93a8 com.app.lets\r\nAndroid\r\nSetting\r\naf65aac4f3cf13c88422675b5261acc6c7b5d0af75323a516989a75b0374eddd com.app.chat Chat\r\nb6326e17ec8307edf63e731c635fbfa8469d9264cb414592e2d2a5c71093d809 com.apps.voice\r\nAndroid\r\nSetting\r\nb7007d2039abaf8b8b0db77241d400a8c4d3b48c6fece5d80dc69905d4d272c3 com.apps.voice\r\nAndroid\r\nSetting\r\nc20438ba8c9e008c1e2eb4343f177757fc260437aeac52df61b156671b07ac14 com.myapps.update\r\nFacebook\r\nUpdate\r\nca8d892a616feaf240bd9e05a250db8ed4d56b7db6348bbaa415dec1e0c626f3 com.app.voice VoiceChat\r\nce4190030372465eceec60ec1687023c99f95a11b9a558f5431074de20747b81 com.app.update\r\nWhatsApp\r\nUpdate\r\nd17308fb06760de1b06d03448a01f3762f2712c1a66b50c8d5f4ac061d6deb27 com.apps.lets\r\nAndroid\r\nSetting\r\ne2cb9140c47492e7931e0b6629caf5c03cbc4e7a28c7976a28e3158b5d1c67fb com.app.chatous\r\nAndroid\r\nSetting\r\nebc338f3988e96e9fab53854428ea91dbabd3ee9875464008eafd52c687c3625 com.chat.bestchat Best Chat\r\nec1ed9b064ffbd237e1808d4e156d011b8b77402042b7a6fee92923b69ba65d4 com.app.lets\r\nAndroid\r\nSetting\r\nefc4a2014f73996fb5d90406a55aa14ac89407fd03cfc89d18ee3251d9fd1af8 com.chat.bestchat Best Chat\r\nf890ba41f6d7d2f2fb4da477adc975be7a3b8068686ff5e863d1a53e56acdfac com.facebook.update\r\nFacebook\r\nUpdate\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-gnatspy-mobile-malware-family-discovered/\r\nPage 5 of 6\n\nThe following domains were used by various C\u0026C servers:\r\naryastark[.]info\r\ncecilia-gilbert[.]com\r\ncerseilannister[.]info\r\nclaire-browne[.]info\r\ndaario-naharis[.]info\r\nharvey-ross[.]info\r\njorah-mormont[.]info\r\nkaniel-outis[.]info\r\nkristy-milligan[.]website\r\nlagertha-lothbrok[.]info\r\nmax-eleanor[.]info\r\nolivia-hartman[.]info\r\nragnar-lothbrok[.]info\r\nrose-sturat[.]info\r\nsaratancredi[.]info\r\nuseraccount[.]website\r\nvictor-stewart[.]info\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/new-gnatspy-mobile-malware-family-discovered/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-gnatspy-mobile-malware-family-discovered/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/new-gnatspy-mobile-malware-family-discovered/"
	],
	"report_names": [
		"new-gnatspy-mobile-malware-family-discovered"
	],
	"threat_actors": [
		{
			"id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d",
			"created_at": "2022-10-25T16:07:23.539852Z",
			"updated_at": "2026-04-10T02:00:04.647734Z",
			"deleted_at": null,
			"main_name": "Desert Falcons",
			"aliases": [
				"APT-C-23",
				"ATK 66",
				"Arid Viper",
				"Niobium",
				"Operation Arid Viper",
				"Operation Bearded Barbie",
				"Operation Rebound",
				"Pinstripe Lightning",
				"Renegade Jackal",
				"TAG-63",
				"TAG-CT1",
				"Two-tailed Scorpion"
			],
			"source_name": "ETDA:Desert Falcons",
			"tools": [
				"AridSpy",
				"Barb(ie) Downloader",
				"BarbWire",
				"Desert Scorpion",
				"FrozenCell",
				"GlanceLove",
				"GnatSpy",
				"KasperAgent",
				"Micropsia",
				"PyMICROPSIA",
				"SpyC23",
				"Viper RAT",
				"ViperRAT",
				"VolatileVenom",
				"WinkChat",
				"android.micropsia"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b1979c55-037a-415f-b0a3-cab7933f5cd4",
			"created_at": "2024-04-24T02:00:49.561432Z",
			"updated_at": "2026-04-10T02:00:05.416794Z",
			"deleted_at": null,
			"main_name": "APT-C-23",
			"aliases": [
				"APT-C-23",
				"Arid Viper",
				"Desert Falcon",
				"TAG-63",
				"Grey Karkadann",
				"Big Bang APT",
				"Two-tailed Scorpion"
			],
			"source_name": "MITRE:APT-C-23",
			"tools": [
				"Micropsia"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "929d794b-0e1d-4d10-93a6-29408a527cc2",
			"created_at": "2023-01-06T13:46:38.70844Z",
			"updated_at": "2026-04-10T02:00:03.075002Z",
			"deleted_at": null,
			"main_name": "AridViper",
			"aliases": [
				"Desert Falcon",
				"Arid Viper",
				"APT-C-23",
				"Bearded Barbie",
				"Two-tailed Scorpion"
			],
			"source_name": "MISPGALAXY:AridViper",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b",
			"created_at": "2025-08-07T02:03:24.53077Z",
			"updated_at": "2026-04-10T02:00:03.680525Z",
			"deleted_at": null,
			"main_name": "ALUMINUM SARATOGA",
			"aliases": [
				"APT-C-23",
				"Arid Viper",
				"Desert Falcon",
				"Extreme Jackal ",
				"Gaza Cybergang",
				"Molerats ",
				"Operation DustySky ",
				"TA402"
			],
			"source_name": "Secureworks:ALUMINUM SARATOGA",
			"tools": [
				"BlackShades",
				"BrittleBush",
				"DarkComet",
				"LastConn",
				"Micropsia",
				"NimbleMamba",
				"PoisonIvy",
				"QuasarRAT",
				"XtremeRat"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "35b3e533-7483-4f07-894e-2bb3ac855207",
			"created_at": "2025-08-07T02:03:24.540035Z",
			"updated_at": "2026-04-10T02:00:03.69627Z",
			"deleted_at": null,
			"main_name": "ALUMINUM SHADYSIDE",
			"aliases": [
				"APT-C-23 ",
				"Arid Viper ",
				"Desert Falcon "
			],
			"source_name": "Secureworks:ALUMINUM SHADYSIDE",
			"tools": [
				"Micropsia",
				"SpyC23"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775433972,
	"ts_updated_at": 1775791924,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8b95aeb67228b784e8e0c9d2cb848e69bac4b95b.pdf",
		"text": "https://archive.orkl.eu/8b95aeb67228b784e8e0c9d2cb848e69bac4b95b.txt",
		"img": "https://archive.orkl.eu/8b95aeb67228b784e8e0c9d2cb848e69bac4b95b.jpg"
	}
}