S0505: Desert Scorpion
Desert Scorpion is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. Desert Scorpion is suspected to have been operated by the threat actor APT-C-23.[1]
There are multiple close variants of Desert Scorpion, such as VAMP[2], GnatSpy[3], FrozenCell and SpyC23, which add some additional functionality but are not significantly different from the original malware.
Analyst context for executives and security teams
Desert Scorpion is Android surveillanceware associated in ATT&CK with targeting individuals in the Middle East, specifically Palestine, and suspected operation by APT-C-23. Its decision value is that it maps to mobile behaviors that directly affect executive privacy, field operations, legal/compliance exposure, and personal safety: audio, video, location, contacts, SMS, local files, stored app data, and runtime code download. For organizations with high-risk mobile users, this is less a single-malware problem than a validation test for mobile device visibility, app governance, permission control, and incident response readiness.
Executive priority
Treat this as a mobile surveillance risk scenario for users whose phones carry sensitive communications, location, contacts, or operational data. Leaders should ask whether Android devices used by executives, travelers, journalists, field personnel, or regional teams are covered by mobile security policy, whether risky permissions and hidden apps can be investigated, and whether IR playbooks can preserve evidence without destroying mobile artifacts. Because ATT&CK provides no official detection text for this object, priority should be on proving telemetry and response capability rather than assuming SOC coverage exists.
Technical view
ATT&CK lists Desert Scorpion for Android and relates it to behaviors including runtime code download, discovery of software/files/system information, collection of local data, stored app data, contacts and SMS, audio/video/location capture, archiving collected data, SMS control, out-of-band data, icon suppression, file deletion, and code signing policy modification. SOC and IR teams should validate whether mobile telemetry can show suspicious permission combinations, app inventory changes, apps absent from the launcher but present on device, access to SMS/contacts/location/microphone/camera, file and directory enumeration, archive creation, runtime-loaded code, and SMS or other out-of-band communications. Detection should be behavior-led because the official object does not provide detection logic and the description notes multiple close variants such as VAMP, GnatSpy, FrozenCell, and SpyC23.
Likely telemetry
- Android app inventory and package metadata, including installation source, signing information, version changes, and hidden or launcher-suppressed applications
- Mobile permission state and permission-use history for microphone, camera, location, contacts, SMS, storage, and background location where available
- Mobile device management or mobile threat defense events for risky apps, sideloading policy state, code-signing or trust policy changes, and device administrator status
- Network and mobile security telemetry showing unusual outbound connections, compressed or encrypted uploads, and possible command-and-control patterns
- SMS event telemetry where legally and operationally available, including send/receive behavior, default SMS handler changes, and SMS-related permissions
Detection direction
- Start with ATT&CK relationship-driven behaviors rather than a single malware signature: combine surveillance permissions, discovery activity, data collection, and stealth indicators into mobile hunting hypotheses.
- Validate that Android fleet tooling can enumerate installed applications even when an application icon is suppressed from the launcher.
- Tune for suspicious permission clusters, especially apps requesting combinations of SMS, contacts, microphone, camera, location, storage, and background access that are inconsistent with business need.
- Review whether static app scanning alone is insufficient in the environment because the related technique Download New Code at Runtime indicates code may be obtained after installation.
- Include false-positive review for legitimate communications, navigation, recording, or enterprise apps that may request sensitive permissions for valid reasons; require business justification and app reputation/context.
Mitigation priorities
- Prioritize mobile asset governance: identify Android devices used for sensitive business, executive, travel, field, or regional operations and ensure they are enrolled in managed policy where appropriate.
- Enforce app installation controls and review installation sources, signing trust, and sideloading exposure consistent with organizational mobile policy.
- Apply least-privilege mobile permission management for SMS, contacts, camera, microphone, location, storage, and background location; investigate apps that do not have a clear business need.
- Maintain mobile OS and security control hygiene, including patch visibility and checks for rooting or policy modification where tooling supports it.
- Prepare mobile incident response procedures that preserve device state, application inventory, logs, and forensic artifacts before remediation actions.
Analyst notes and limits
This take is based on ATT&CK software S0505 Desert Scorpion, its Android platform designation, official description, external references, and listed relationships to APT-C-23 and mobile techniques. The most material defender takeaway is the breadth of mobile surveillance behaviors: collection, sensing, discovery, stealth, runtime code, SMS control, and out-of-band communication. FrozenCell and SpyC23 are noted by ATT&CK as close variants but are separate software entries, so they should be used as context rather than collapsed into identical detection logic.
ATT&CK provides no official detection text, no aliases, no tactics, and no guaranteed indicators in the supplied fields. The relationship to APT-C-23 is described as suspected operation, not definitive attribution. This summary does not establish current exploitation, customer exposure, infrastructure, hashes, package names, or detection coverage. Local device telemetry, legal monitoring boundaries, mobile management scope, and user risk context are required to turn this into actionable coverage.
Desert Scorpion
Desert Scorpion is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. Desert Scorpion is suspected to have been operated by the threat actor APT-C-23.[1]
There are multiple close variants of Desert Scorpion, such as VAMP[2], GnatSpy[3], FrozenCell and SpyC23, which add some additional functionality but are not significantly different from the original malware.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1532 | Archive Collected Data | Desert Scorpion can encrypt exfiltrated data.CitationLookout Desert Scorpion |
| Mobile | T1644 | Out of Band Data | Desert Scorpion can be controlled using SMS messages.CitationLookout Desert Scorpion |
| Mobile | T1407 | Download New Code at Runtime | Desert Scorpion has been distributed in multiple stages.CitationLookout Desert Scorpion |
| Mobile | T1418 | Software Discovery | Desert Scorpion can obtain a list of installed applications.CitationLookout Desert Scorpion |
| Mobile | T1420 | File and Directory Discovery | Desert Scorpion can list files stored on external storage.CitationLookout Desert Scorpion |
| Mobile | T1636.004 | SMS Messages Sub-technique | Desert Scorpion can retrieve SMS messages.CitationLookout Desert Scorpion |
| Mobile | T1429 | Audio Capture | Desert Scorpion can record audio from phone calls and the device microphone.CitationLookout Desert Scorpion |
| Mobile | T1426 | System Information Discovery | Desert Scorpion can collect device metadata and can check if the device is rooted.CitationLookout Desert Scorpion |
| Mobile | T1533 | Data from Local System | Desert Scorpion can collect attacker-specified files, including files located on external storage.CitationLookout Desert Scorpion |
| Mobile | T1512 | Video Capture | Desert Scorpion can record videos.CitationLookout Desert Scorpion |
| Mobile | T1636.003 | Contact List Sub-technique | Desert Scorpion can collect the device’s contact list.CitationLookout Desert Scorpion |
| Mobile | T1630.002 | File Deletion Sub-technique | Desert Scorpion can delete copies of itself if additional APKs are downloaded to external storage.CitationLookout Desert Scorpion |
| Mobile | T1409 | Stored Application Data | Desert Scorpion can collect account information stored on the device.CitationLookout Desert Scorpion |
| Mobile | T1430 | Location Tracking | Desert Scorpion can track the device’s location.CitationLookout Desert Scorpion |
| Mobile | T1632.001 | Code Signing Policy Modification Sub-technique | If running on a Huawei device, Desert Scorpion adds itself to the protected apps list, which allows it to run with the screen off.CitationLookout Desert Scorpion |
| Mobile | T1628.001 | Suppress Application Icon Sub-technique | Desert Scorpion can hide its icon.CitationLookout Desert Scorpion |
| Mobile | T1582 | SMS Control | Desert Scorpion can send SMS messages.CitationLookout Desert Scorpion |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | b04d2d4b878c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Lookout Desert Scorpion
A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.
Open source URL -
[2]
Unit42 VAMP 2017
Bar, T., Lancaster, T. (2017, April 5). Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA. Retrieved March 4, 2024.
Open source URL -
[3]
Trendmicro GnatSpy 2017
Guo, G., Xu, E. (2017, December 18). New GnatSpy Mobile Malware Family Discovered. Retrieved March 4, 2024.
Open source URL -
[4]
mitre-attack S0505Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.