S1195: SpyC23
SpyC23 is a mobile malware that has been used by APT-C-23 since at least 2017. SpyC23 has been observed primarily targeting Android devices in the Middle East.[1]
There are multiple close variants of SpyC23, such as VAMP[2], GnatSpy[3], Desert Scorpion and FrozenCell, which add some additional functionality but are not significantly different from the original malware.
Analyst context for executives and security teams
SpyC23 is an Android mobile spyware family associated in ATT&CK with APT-C-23 and reported primarily against Middle East targets. Its business significance is not just “malware on a phone”: the mapped behaviors cover microphone, camera, screen, location, notifications, SMS, call logs, contacts, local files, and web or out-of-band communications. For leaders, this makes unmanaged or weakly governed mobile devices a potential source of identity compromise, sensitive data exposure, and physical-location risk.
Executive priority
Prioritize SpyC23 as a mobile security and incident-readiness planning case where Android devices are used by executives, field staff, privileged users, or personnel operating in relevant regions. Ask whether mobile device management, application vetting, permission governance, and mobile incident response can produce evidence for suspicious permissions, hidden apps, SMS/call abuse, notification access, and network communications. Because ATT&CK provides no official detection text for this object, coverage should be proven through local telemetry and exercises rather than assumed from endpoint or network tooling.
Technical view
ATT&CK lists SpyC23 for Android and relates it to behaviors including obfuscation, audio capture, location tracking, web-protocol C2, video and screen capture, notification access, local data collection, tool transfer, SMS and call control, broadcast receiver persistence, icon suppression, user/sandbox evasion, disabling or modifying tools, call log/contact/SMS collection, out-of-band data, and matching legitimate app names or locations. SOC and IR teams should validate whether Android fleet controls can surface high-risk permission combinations such as microphone, camera, location, SMS, phone, contacts, notification access, accessibility-like visibility where applicable, device administrator abuse, hidden launcher icons, suspicious broadcast receivers, and unusual HTTP/HTTPS or SMS-based communications. Analysis should account for close variants named in the ATT&CK description, including VAMP, GnatSpy, Desert Scorpion, and FrozenCell, without assuming they are identical in every environment.
Likely telemetry
- Android application inventory, package names, signing metadata, install source, version history, and icon/launcher visibility
- Android manifest and runtime permission grants for microphone, camera, location, SMS, phone, contacts, notification access, storage, and background location
- MDM/UEM compliance state, device administrator status, security-tool health, and evidence of disabled or modified mobile protections
- Mobile threat defense or device security events for obfuscation, sandbox evasion indicators, suspicious app behavior, and hidden apps
- Network telemetry for mobile HTTP/HTTPS communications, unusual destinations, and repeated background traffic from suspicious applications
Detection direction
- Validate visibility first: confirm whether corporate Android devices are enrolled, whether personal/BYOD devices are in scope, and whether telemetry includes app permissions, install source, network behavior, and SMS/phone-related events.
- Hunt for clusters of sensitive permissions and behaviors rather than a single indicator: microphone plus location plus SMS/phone/contact access, hidden launcher behavior, notification access, and persistent broadcast receivers should raise concern in a business app context.
- Tune for false positives from legitimate communications, navigation, conferencing, messaging, and device-management apps by baselining approved packages, expected permission sets, signing certificates, and normal network destinations.
- Include variant-aware threat intelligence enrichment for SpyC23, VAMP, GnatSpy, Desert Scorpion, and FrozenCell, while separating ATT&CK relationship context from locally verified indicators.
- Account for evasion: obfuscated files, sandbox/virtualization checks, user-evasion behavior, legitimate-looking names/icons, and possible security-tool interference mean static app review alone may be insufficient.
Mitigation priorities
- Establish mobile asset governance: know which Android devices access enterprise data, require enrollment for sensitive access, and define controls for BYOD versus managed devices.
- Restrict risky app sources and enforce application allowlisting or approval workflows for users with sensitive roles or regional exposure.
- Use least-privilege permission governance: review and limit apps requesting microphone, camera, location, SMS, phone, contacts, notification access, storage, and background execution permissions.
- Maintain mobile security control health through MDM/UEM policy, detection tooling where deployed, and monitoring for device administrator abuse or disabled protections.
- Prepare mobile IR playbooks covering evidence preservation, device isolation, credential/session revocation, MFA re-enrollment, app removal, and assessment of exposed SMS, notifications, contacts, media, and local files.
Analyst notes and limits
This take is based on the official ATT&CK S1195 fields and supplied relationships. The strongest defensive value comes from the breadth of mapped Android collection, evasion, persistence, and communication behaviors, not from a provided ATT&CK detection analytic. The APT-C-23 relationship and Middle East targeting are ATT&CK-described context; they should inform prioritization but not be treated as proof of current activity in any specific organization.
ATT&CK supplies no official detection guidance, no tactics for this object in the provided fields, and no environment-specific indicators of compromise. Telemetry availability varies significantly across managed Android, BYOD, carrier, and privacy/legal boundaries. Any conclusion about compromise, exposure, or control effectiveness requires local device, MDM/UEM, network, and incident evidence.
SpyC23
SpyC23 is a mobile malware that has been used by APT-C-23 since at least 2017. SpyC23 has been observed primarily targeting Android devices in the Middle East.[1]
There are multiple close variants of SpyC23, such as VAMP[2], GnatSpy[3], Desert Scorpion and FrozenCell, which add some additional functionality but are not significantly different from the original malware.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1616 | Call Control | SpyC23 can make phone calls.Citationwelivesecurity_apt-c-23CitationSentinelLabs AridViper 2023 |
| Mobile | T1628.002 | User Evasion Sub-technique | SpyC23 has used blank screen overlays to hide malicious activity from the user.Citationwelivesecurity_apt-c-23 |
| Mobile | T1533 | Data from Local System | SpyC23 can collect and exfiltrate files with specific extensions, such as .pdf, doc.Citationwelivesecurity_apt-c-23 |
| Mobile | T1517 | Access Notifications | SpyC23 reads notifications from applications and connected wearables.Citationwelivesecurity_apt-c-23Citationsophos_android_apt_spywareCitationSentinelLabs AridViper 2023CitationCyware APT-C-23 2020 |
| Mobile | T1624.001 | Broadcast Receivers Sub-technique | SpyC23 listens for the `BOOT_COMPLETED` broadcast to activate malware.Citationwelivesecurity_apt-c-23 |
| Mobile | T1512 | Video Capture | SpyC23 can capture pictures and videos.Citationwelivesecurity_apt-c-23Citationsophos_android_apt_spywareCitationthreatpost AndroidSpyware 2020 |
| Mobile | T1633 | Virtualization/Sandbox Evasion | SpyC23 has obfuscated code and anti-virtualization techniques to hinder analysis.CitationSentinelLabs AridViper 2023 |
| Mobile | T1430 | Location Tracking | SpyC23 can access the device's location.CitationSentinelLabs AridViper 2023 |
| Mobile | T1544 | Ingress Tool Transfer | SpyC23 can download more malware to the victim device.Citationwelivesecurity_apt-c-23Citationcheckpoint_hamas_android_malwareCitationSentinelLabs AridViper 2023 |
| Mobile | T1582 | SMS Control | SpyC23 can send SMS messages.Citationwelivesecurity_apt-c-23 |
| Mobile | T1636.003 | Contact List Sub-technique | SpyC23 can exfiltrate the victim device’s contact list.Citationwelivesecurity_apt-c-23Citationsophos_android_apt_spywareCitationthreatpost AndroidSpyware 2020 |
| Mobile | T1429 | Audio Capture | SpyC23 can record phone calls and audio.Citationwelivesecurity_apt-c-23Citationsophos_android_apt_spywareCitationSentinelLabs AridViper 2023CitationCyware APT-C-23 2020Citationthreatpost AndroidSpyware 2020 |
| Mobile | T1406 | Obfuscated Files or Information | SpyC23 has used obfuscation techniques to hide its hardcoded C2 address.Citationwelivesecurity_apt-c-23 |
| Mobile | T1629.003 | Disable or Modify Tools Sub-technique | SpyC23 has disabled play protect.Citationwelivesecurity_apt-c-23 |
| Mobile | T1628.001 | Suppress Application Icon Sub-technique | SpyC23 can hide its icon.Citationwelivesecurity_apt-c-23 |
| Mobile | T1636.002 | Call Log Sub-technique | SpyC23 can exfiltrate the call log.Citationthreatpost AndroidSpyware 2020 |
| Mobile | T1644 | Out of Band Data | SpyC23 can receive Command and Control commands from SMS messages.Citationwelivesecurity_apt-c-23 |
| Mobile | T1437.001 | Web Protocols Sub-technique | SpyC23 can communicate with the Command and Control server using HTTPS and Firebase Cloud Messaging (FCM).Citationwelivesecurity_apt-c-23Citationsophos_android_apt_spyware |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | SpyC23 has masqueraded as legitimate messaging applications.Citationwelivesecurity_apt-c-23Citationcheckpoint_hamas_android_malwareCitationsophos_android_apt_spywareCitationSentinelLabs AridViper 2023CitationCyware APT-C-23 2020Citationthreatpost AndroidSpyware 2020 |
| Mobile | T1513 | Screen Capture | SpyC23 can take record and take screenshots of the victim device.Citationwelivesecurity_apt-c-23Citationsophos_android_apt_spyware |
| Mobile | T1636.004 | SMS Messages Sub-technique | SpyC23 can read and exfiltrate SMS messages.Citationwelivesecurity_apt-c-23Citationsophos_android_apt_spywareCitationthreatpost AndroidSpyware 2020 |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1efb61e9eb89… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
welivesecurity_apt-c-23
Stefanko, L. (2020, September 30). APT‑C‑23 group evolves its Android spyware. Retrieved March 4, 2024.
Open source URL -
[2]
Unit42 VAMP 2017
Bar, T., Lancaster, T. (2017, April 5). Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA. Retrieved March 4, 2024.
Open source URL -
[3]
Trendmicro GnatSpy 2017
Guo, G., Xu, E. (2017, December 18). New GnatSpy Mobile Malware Family Discovered. Retrieved March 4, 2024.
Open source URL -
[4]
mitre-attack S1195Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.