{ "id": "763f056b-c37c-40d9-b2ef-9dbc5bc8c56a", "created_at": "2026-04-06T00:10:56.033319Z", "updated_at": "2026-04-10T13:12:47.632006Z", "deleted_at": null, "sha1_hash": "a46d95b419457293066c75e9dc62eb3fa6e01529", "title": "Arid Viper | APT’s Nest of SpyC23 Malware Continues to Target Android Devices", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2943094, "plain_text": "Arid Viper | APT’s Nest of SpyC23 Malware Continues to Target\r\nAndroid Devices\r\nBy Alex Delamotte\r\nPublished: 2023-11-06 · Archived: 2026-04-05 19:53:04 UTC\r\nExecutive Summary\r\nArid Viper is an espionage-motivated cyber threat actor with Hamas-aligned interests. Arid Viper’s toolkit\r\nis multi-platform and includes the consistent use and development of mobile spyware since emerging in\r\n2017.\r\nThrough 2022 and 2023, the actor has distributed SpyC23, an Android spyware family, through\r\nweaponized apps posing as Telegram or as a dating app called Skipped.\r\nThere are overlaps between recent SpyC23 versions and their 2017 predecessors, tying together several\r\nArid Viper Android malware families.\r\nIncreased industry focus on Arid Viper is an extension of our continuing collective efforts to track threat\r\nactors engaged in the Israeli-Hamas war. In this context, traditional cyberespionage activities are often\r\nenablers for on-the-ground operations and deserve additional scrutiny.\r\nBackground\r\nThe Arid Viper group has a long history of using mobile malware, including at least four Android spyware\r\nfamilies and one short-lived iOS implant, Phenakite. The SpyC23 Android malware family has existed since at\r\nleast 2019, though shared code between the Arid Viper spyware families dates back to 2017. It was first reported\r\nin 2020 by ESET in a campaign where the actor used a third-party app store to distribute weaponized Android\r\npackages (APK). That campaign featured several apps designed to mimic Telegram and Android application\r\nupdate managers.\r\nThrough 2022 and early 2023, Arid Viper developed several newer SpyC23 versions that share these themes: two\r\napps mimick Telegram, while another is internally called APP-UPGRADE but is based on a romance-themed\r\nmessaging app called Skipped Messenger. Cisco Talos recently reported on the history of Skipped Messenger,\r\nrevealing that the once-benign dating application was likely passed from the original developer to the Arid Viper\r\nactor.\r\nSentinelLABS compared these newer versions of SpyC23 to the earlier 2020 version, as well as several older\r\nAndroid spyware families associated with Arid Viper: GnatSpy, FrozenCell, and VAMP. Many changes have been\r\nmade in SpyC23’s development; however, there are notable overlaps with these older families and the taxonomy is\r\nless distinct.\r\nApp Analysis\r\nhttps://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/\r\nPage 1 of 13\n\nThe theme of these applications center on messaging and communications. We identified two unique themes: one\r\nmimics Telegram, the other mimics an apparent dating-themed app called Skipped Messenger. The group has\r\npreviously relied on Telegram-themed messengers as well as romance-themed lures and apps.\r\nArid Viper often relies on social engineering to deliver malware with pretexts that allow operators to engage\r\ncloser to thier intended victims. The social engineering approach is a boon for delivering Android malware, as\r\nthere are many hurdles for the actor to overcome before a user successfully installs a malicious app. Working the\r\ninstallation flow into a social engineering pretext is likely more effective than expecting users to install spyware\r\nsuccessfully without prompting.\r\nThere is a non-weaponized version of Skipped Messenger (SHA-1:\r\n6e1867bd841f4dc16bef21b5a958eec7a6497c4e ) that shares the same Firebase service hostname\r\nskippedtestinapp[.]firebaseio[.]com as the malicious version. As the Talos report noted, Skipped was\r\noriginally a legitimate dating app. The Google Play store version was last updated in August 2021.\r\nSkipped Messenger \u0026 Telegram app main screen\r\nLike most malicious Android apps, these apps ask the user to enable permissions that facilitate spyware activities.\r\nhttps://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/\r\nPage 2 of 13\n\nSkipped Messenger screens prompting the user to enable Accessibility features\r\nThe application permissions give a high degree of control over the device, including:\r\nAccessing the phone’s location\r\nMaking calls without user interaction\r\nMonitoring calls made by the user\r\nRecording with the microphone, capturing audio output\r\nRead \u0026 Write to storage\r\nRead \u0026 Write to the Contacts list\r\nModifying network state\r\nCollecting a list of accounts used on the device\r\nDownloading files to the phone without user interaction\r\nLaunching Java archive (JAR) files as a Service\r\nReading notifications received on the device as well as any connected wearables\r\nThe developer employed anti-decompilation and anti-virtualization techniques to complicate analysis. Each of\r\nthese APKs contains application code that is obfuscated. On emulated Android devices, the apps flash and\r\nrepeatedly cycle through prompts even after the requested permissions have been granted.\r\nhttps://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/\r\nPage 3 of 13\n\nComparing these new versions with older SpyC23 variants, there is significant overlap in package names, which\r\nfortifies the relationship between the old and new versions. In the image below, the older version on the left\r\nhouses malicious activity in the update.bbm package, and the version we discovered on the right houses similar\r\nsubpackages in the apps.sklite.pacJava package.\r\nJava subpackage names: SpyC23 2020 (left) and APP-UPGRADE APK 2023 (right)\r\nThe overlaps continue in the class names. The actor frequently names classes after people’s names, as outlined in\r\nthe rc_cola/tas_ran_rc_col package structure.\r\nhttps://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/\r\nPage 4 of 13\n\nJava class names: SpyC23 2020 (left) and APP-UPGRADE APK 2023 (right)\r\nThese applications are quite large, making analysis of each class impractical. Instead, we will focus on several\r\ninteresting classes and methods.\r\nACCAPPService\r\nThis class handles some communications to the C2. Of note, the class contains code that pertains to the user\r\nuninstalling the application. The SendToServerTask subclass logs when the user is in a ‘dangerous’ menu and\r\nparses input containing the active menu name for the English words ‘apps’ or ‘applications’ as well as the Arabic\r\nword for ‘Applications’.\r\nhttps://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/\r\nPage 5 of 13\n\n“User In Dangerous Menu” logging messages\r\nBrodie\r\nThis class is responsible for much of the app’s upload request handling, acting as an interface between the app and\r\nthe C2 server. Brodie contains a method named isProbablyArabic , suggesting again that these apps are used\r\nagainst Arabic-speaking targets.\r\nisProbablyArabic method from Brodie class\r\nCallRecService\r\nThis service enables the spyware’s call recording feature. The class is imported from an external library,\r\nlibcallrecfix.so , and runs as a service. The Unix library is based on at least two open-source Android call\r\nrecording projects, though neither are actively maintained. This was implemented in 2020 and has been a staple of\r\nSpyC23 iterations since. The library is a binary compiled for each of the app’s compatible architectures.\r\ncheckRaw\r\nhttps://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/\r\nPage 6 of 13\n\nThis Audio upload service has many of the same status logging strings and media recording parameters seen in\r\nolder versions of Arid Viper’s Android toolsets, including FrozenCell, reported by Lookout in 2017, and VAMP,\r\nwhich was reported by Palo Alto in 2017 as well.\r\nRcNewService class from FrozenCell (left) and checkRaw class from 2023 APP-UPGRADE version\r\nof SpyC23 (right)\r\nSome elements of this audio recording code are present in GitHub repositories described as a teardown of the\r\nTelegram Android app. While this is potentially an adaptation of open-source software, the similarities between\r\nthe SpyC23 APKs are consistent, and the external versions do not have the same variables or logging messages.\r\nMoller\r\nThis class is notable because it contains code that spans back to much earlier versions of Arid Viper’s Android\r\nspyware. We identified a 2017 GnatSpy sample from Trend Micro’s Arid Viper reporting that shares the same\r\nupload functionality through a subclass JsDirService .\r\nhttps://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/\r\nPage 7 of 13\n\nhttps://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/\r\nPage 8 of 13\n\nPanda\r\nThis class loads methods from external libraries libRoams.so and lib-uoil.so . The code imports several\r\nfunctions related to manufacturer-specific implementations, including Huawei, Oppo, and Xiaomi.\r\nThe Panda class imports methods from the open-source Gotev Android Upload Service, which was also used by\r\nthe older versions of SpyC23. Panda imports methods from the OKhttp library to craft HTTP requests. When the\r\nOnCreate method runs, it initializes the Gotev service, parses the C2 configuration values, and registers\r\nGarciaReceiver , a receiver that monitors for a connection state change which was also present in older versions.\r\nhttps://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/\r\nPage 9 of 13\n\nonCreate method inside the Panda class\r\nLike older versions of SpyC23, this class has logic to parse and decode the C2 server details from strings stored\r\ninside the lib-uoil.so and related binaries. The strings are encoded partially in Base64 with an additional layer\r\nlikely on top to parse the correct C2 server URIs. The previous technique of dropping the strings before and after\r\nthe hyphen remain, and further substitution removes spaces and underscores, replacing them with hyphens.\r\nC2 Infrastructure\r\nThe C2 servers used by these apps continue the longstanding Arid Viper domain naming scheme of a hyphenated\r\nhostname that uses Western-sounding peoples’ names. The primary C2 servers are:\r\nluis-dubuque[.]in – C2 domain used by APP-UPGRADE Skipped Messenger APK\r\ndanny-cartwright[.]firm[.]in – C2 domain used by com.teleram.app APK\r\nconner-margie[.]com – C2 domain used by com.alied.santafi\r\nWe have included additional network indicators associated with app features that are unique to the APKs\r\nanalyzed, including Google Cloud project hostnames and Firebase messaging hostnames.\r\nConclusion\r\nThe discovery of these APKs demonstrates that Arid Viper continues to thrive in the mobile malware space. The\r\ndedication to anti-analysis and obfuscation suggests that the developers have an awareness of research analysis\r\nand they have applied measures to deter them and remain under the radar. The presence of code from other Arid\r\nViper Android spyware families in SpyC23 fortifies the connection between this group’s various iterations of\r\ntools. The resulting bloat from carrying over older versions of the spyware aids attribution in the complex mobile\r\nmalware landscape that pervades in the Middle East.\r\nhttps://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/\r\nPage 10 of 13\n\nArid Viper has historically targeted military personnel in the Middle East, as well as journalists and dissidents.\r\nThe most recent versions of SpyC23 highlight the actor’s focus on Arabic speakers, which is an interesting\r\ndevelopment given the actor’s historical penchant for targeting Israeli military personnel with Android spyware.\r\nThose who are at risk of being targeted by this group should avoid installing applications from outside of the\r\nGoogle Play Store. Everyone should remain wary when installing new apps from any source: does this app really\r\nneed the permissions it requests? In the case of SpyC23 apps, there is a lengthy walkthrough with images guiding\r\nthe user to accept an inordinate number of permissions.\r\nSentinelLABS would like to thank the research team at Cisco Talos for their collaboration on this research.\r\nIndicators of Compromise\r\nSHA1 Notes\r\n03448782d5b717b7ad1a13b1841119bc033f40dd Teleram /lib/mips/librealm-jni.so\r\n12af178d20ec7e1294873304b0ea81b5fcfd6333 Teleram /lib/armeabi-v7a/librealm-jni.so\r\n17ab647f3b7ccf15b82f51e19301e682f7e8c82a APP-UPGRADE /armeabi-v7a/libRoams.so\r\n29814eacb12b53efcda496485765a30c3c2b589e Santafi /lib/x86_64/libsonsod.so\r\n2f0895fa9e1a404da46f56ab13c131de1a0eac1e APP-UPGRADE /x86/libRoams.so\r\n300fb7a0597519b99b6120d16666be9b29ee5508 APP-UPGRADE /x86_64/libcallrecfix.so\r\n31ba9425007d17745bb6b44c85042dcbd15fe837 Santafi /lib/x86_64/libcallrecfix.so\r\n46bfcb28cde424d0d11e5772c2683391b0f1491a com.teleram.app.apk a Telegram-themed APK\r\n4f58d69c53685365a4b6df70eca6fa203e6ba674 APP-UPGRADE /x86_64/libRoams.so\r\n532876649c027ebaea56604fbcd7ce909a8aa4e3 APP-UPGRADE /arm64-v8a/libcallrecfix.so\r\n5476d52ab6f982bb29ba2ace0074e77523f9f655 APP-UPGRADE /x86/libcallrecfix.so\r\n55c9c7a53c9468d365743f155b2af7e189586822 APP-UPGRADE /arm64-v8a/libRoams.so\r\n5a238ade0b402c3dbef7c82406649f27ae6b479a Santafi /lib/x86/libcallrecfix.so\r\n600442488eb9536c821188dfad9d59e987ff7a56 Santafi /lib/armeabi-v7a/libsonsod.so\r\n6f68e8645b4b88d7608310b7736749368398914a Teleram /lib/x86/librealm-jni.so\r\n793177ffe60030fefbe6a17361b266980f151fa4 Santafi /lib/arm64-v8a/libcallrecfix.so\r\n893dae5ded7eb0a35e84867e62cbbb7e831aac97 Santafi /lib/arm64-v8a/libdalia.so\r\n9c1c02a387b0aa59b09962f18e4873699d732019 Santafi /lib/armeabi-v7a/libcallrecfix.so\r\nhttps://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/\r\nPage 11 of 13\n\n9d9696bc552dc5dbb4d925d0fb04f77018deef50 Teleram /lib/x86_64/librealm-jni.so\r\na610a05d6087bc1493e505fd4c1e4ef4b29697e3 com.alied.santafi.apk a Telegram-themed APK\r\na8937d38cc8edb9b2dfb1e6e1c5cad6f63ae0ecc APP-UPGRADE /x86/libuoil.so\r\na8e0b6fda4bc1bd93d2a0bc30e18c65eb7f07dec Teleram /lib/arm64-v8a/libcallrecfix.so\r\naacb4e5f9e6b516b52d0008f2e5f58c60b46610b Teleram /lib/armeabi-v7a/libcallrecfix.so\r\nae8d4853377f4a553ecad0c84398ef9dc8735072 Teleram /lib/x86/libcallrecfix.so\r\nb9835174a9a4445dc4d5ff572a79c54f234120bf Santafi /lib/armeabi-v7a/libdalia.so\r\nc0f4592df97073fb5021e2acee0a3763b8fbaf76 Teleram /lib/x86_64/libcallrecfix.so\r\nc1c5a00b22e7d12e8a41d5d8fbe625ecb218fa7c Santafi /lib/arm64-v8a/libsonsod.so\r\nc396327a2332bd6fbc771a97b5e0d4d1a43e8f72 APP-UPGRADE themed Skip Messenger APK\r\nce954dcc62f17f6e31bfa9164f5976740f1b127e APP-UPGRADE /arm64-v8a/libuoil.so\r\ncfa5ef1bff2746407f96ab5c86b66ec5cf305e77 Santafi /lib/x86_64/libdalia.so\r\nda690c4b1569e1f0b0734762c0f274e3ba33ded1 APP-UPGRADE /armeabi-v7a/libuoil.so\r\nde92fb9af9d6e68a001b6263b9c3158325d77f99 Teleram /lib/arm64-v8a/librealm-jni.so\r\ne05ce0496c6d20c24997c17a65c44ccd08cb2a10 APP-UPGRADE /armeabi-v7a/libcallrecfix.so\r\neb14e05364e675fcf03934be549ae96b36b12af0 Santafi /lib/x86/libdalia.so\r\nf8adf63d34eb54121389b9847771d110978aec8e APP-UPGRADE /x86_64/libuoil.so\r\nfb7b9681567478a660413ec591fc802e35a55b7e Santafi /lib/x86/libsonsod.so\r\nDomain Notes\r\n1058215140016-\r\nkv5c01acm9r7argbis96lmudg6p68koe.apps.googleusercontent.com\r\nGoogle Cloud content hostname\r\nused by APP-UPGRADE Skipped\r\nMessenger APK\r\n1095841779797-\r\nidgdkor5mh0lbjeq5spcksbj7jpdlaj9.apps.googleusercontent.com\r\nGoogle Cloud web client\r\nhostname used by\r\ncom.alied.santafi\r\n314359296475-\r\nglearr20do927s2v75cgiocb585gqjgd.apps.googleusercontent.com\r\nGoogle Cloud web client\r\nhostname used by Teleram app\r\nconner-margie[.]com\r\nC2 domain used by\r\ncom.alied.santafi\r\nhttps://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/\r\nPage 12 of 13\n\ndanny-cartwright[.]firm[.]in\r\nC2 domain used by\r\ncom.teleram.app APK\r\njolia-16e7b.appspot.com\r\nGoogle Storage bucket used by\r\ncom.alied.santafi\r\nluis-dubuque[.]in\r\nC2 domain used by APP-UPGRADE Skipped Messenger\r\nAPK\r\nrashonal.appspot.com\r\nGoogle Cloud web client\r\nhostname used by APP-UPGRADE Skipped Messenger\r\nAPK\r\nskippedtestinapp.firebaseio.com\r\nFirebase service for Skipped\r\nMessenger APKs\r\nyellwo-473d0.appspot.com\r\nGoogle Storage bucket used by\r\nTeleram app\r\nSource: https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/\r\nhttps://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/" ], "report_names": [ "arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices" ], "threat_actors": [ { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434256, "ts_updated_at": 1775826767, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a46d95b419457293066c75e9dc62eb3fa6e01529.pdf", "text": "https://archive.orkl.eu/a46d95b419457293066c75e9dc62eb3fa6e01529.txt", "img": "https://archive.orkl.eu/a46d95b419457293066c75e9dc62eb3fa6e01529.jpg" } }