S0577: FrozenCell
FrozenCell is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and Micropsia.[1]
There are multiple close variants of FrozenCell, such as VAMP[2], GnatSpy[3], Desert Scorpion and SpyC23, which add some additional functionality but are not significantly different from the original malware.
Analyst context for executives and security teams
FrozenCell matters because ATT&CK describes it as an Android surveillanceware component with behaviors that can expose sensitive mobile data, user location, audio, SMS, and local files. For leaders, the practical issue is not just one malware name; it is whether the organization can govern, monitor, and respond to high-risk mobile devices that may carry executive, operational, or regulated data.
Executive priority
Prioritize this as a mobile security and incident response readiness question: which Android devices have access to sensitive business systems, what data could be exposed from those devices, and can the organization produce audit-ready evidence of mobile app inventory, permissions, network activity, and response actions? The ATT&CK relationships also connect FrozenCell to APT-C-23 and to related surveillanceware variants, so threat intelligence teams should track it as part of a broader mobile spyware family rather than as a single static indicator set.
Technical view
ATT&CK provides no official detection text for FrozenCell, so SOC and detection teams should validate coverage through the related behaviors: runtime code download, collection of stored application data, file and directory discovery, system and network discovery, audio capture, location tracking, archiving collected data, local data collection, SMS access, and impersonation of legitimate names or locations. Because the platform is Android, useful validation should focus on mobile app permissions, app package and naming anomalies, runtime code loading behavior, access to SMS/location/microphone/local storage, and suspicious outbound network activity from mobile applications.
Likely telemetry
- Android mobile device management or enterprise mobility management inventory
- Installed application package names, app labels, icons, signing information, and installation source where available
- Android permission grants and permission changes, especially microphone, location, SMS, and storage-related access
- Mobile threat defense or endpoint telemetry for dynamic code loading and suspicious app behavior
- Device network telemetry, DNS/proxy/VPN logs, and outbound connection metadata from enrolled mobile devices
Detection direction
- Do not rely on static app-store or package inspection alone; the related Download New Code at Runtime technique means post-install behavior may be material.
- Tune detections for combinations of risky permissions and behaviors, such as location, microphone, SMS, storage access, discovery activity, and unusual outbound traffic from the same app.
- Look for apps that match or approximate legitimate names, icons, package names, or locations, because ATT&CK relates FrozenCell to Match Legitimate Name or Location.
- Use relationship-driven context: sightings of FrozenCell-like behavior should be reviewed alongside related variants named in ATT&CK, including VAMP, GnatSpy, Desert Scorpion, and SpyC23, while avoiding assumptions without local evidence.
- Account for false positives from legitimate enterprise apps that use location, microphone, storage, or network access; prioritize suspicious combinations, unexpected apps, and devices with access to sensitive business data.
Mitigation priorities
- Maintain authoritative inventory and management coverage for Android devices that access enterprise data.
- Restrict or review high-risk app permissions, especially microphone, location, SMS, and broad storage access, according to business need.
- Require vetted application sources and review apps that imitate legitimate names, icons, or package conventions.
- Use mobile security tooling capable of behavioral analysis, not only static allow/block lists, because ATT&CK links this malware to runtime code download.
- Prepare mobile incident response procedures for containment, evidence preservation, device re-enrollment, credential review, and data exposure assessment.
Analyst notes and limits
The official ATT&CK entry identifies FrozenCell as the Android mobile component of a surveillanceware family with a desktop component known as KasperAgent and Micropsia. ATT&CK also states there are close variants such as VAMP, GnatSpy, Desert Scorpion, and SpyC23, and provides a relationship indicating APT-C-23 uses this object. This take is therefore framed around mobile spyware readiness, behavioral detection validation, and Android device governance rather than fixed indicators.
ATT&CK provides no official detection guidance, no tactics for this object, and no detailed procedure examples in the supplied fields. Local conclusions require environment-specific mobile telemetry, app inventories, device enrollment status, and incident evidence. This summary does not assert active exploitation, customer exposure, or guaranteed detection coverage.
FrozenCell
FrozenCell is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and Micropsia.[1]
There are multiple close variants of FrozenCell, such as VAMP[2], GnatSpy[3], Desert Scorpion and SpyC23, which add some additional functionality but are not significantly different from the original malware.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1430 | Location Tracking | FrozenCell has used an online cell tower geolocation service to track targets.CitationLookout FrozenCell |
| Mobile | T1533 | Data from Local System | FrozenCell has retrieved device images for exfiltration.CitationLookout FrozenCell |
| Mobile | T1407 | Download New Code at Runtime | FrozenCell has downloaded and installed additional applications.CitationLookout FrozenCell |
| Mobile | T1422 | System Network Configuration Discovery | FrozenCell has collected phone metadata such as cell location, mobile country code (MCC), and mobile network code (MNC).CitationLookout FrozenCell |
| Mobile | T1420 | File and Directory Discovery | FrozenCell has searched for pdf, doc, docx, ppt, pptx, xls, and xlsx file types for exfiltration.CitationLookout FrozenCell |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | FrozenCell has masqueraded as fake updates to chat applications such as Facebook, WhatsApp, Messenger, LINE, and LoveChat, as well as apps targeting Middle Eastern demographics.CitationLookout FrozenCell |
| Mobile | T1636.004 | SMS Messages Sub-technique | FrozenCell has read SMS messages for exfiltration.CitationLookout FrozenCell |
| Mobile | T1409 | Stored Application Data | FrozenCell has retrieved account information for other applications.CitationLookout FrozenCell |
| Mobile | T1426 | System Information Discovery | FrozenCell has gathered the device manufacturer, model, and serial number.CitationLookout FrozenCell |
| Mobile | T1532 | Archive Collected Data | FrozenCell has compressed and encrypted data before exfiltration using password protected .7z archives.CitationLookout FrozenCell |
| Mobile | T1429 | Audio Capture | FrozenCell has recorded calls.CitationLookout FrozenCell |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | d7af6d72b784… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Lookout FrozenCell
Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.
Open source URL -
[2]
Unit42 VAMP 2017
Bar, T., Lancaster, T. (2017, April 5). Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA. Retrieved March 4, 2024.
Open source URL -
[3]
Trendmicro GnatSpy 2017
Guo, G., Xu, E. (2017, December 18). New GnatSpy Mobile Malware Family Discovered. Retrieved March 4, 2024.
Open source URL -
[4]
mitre-attack S0577Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.