APT-C-23 Upgrades Android Spyware for Mobile Espionage
ESET reported that the APT-C-23 threat group evolved its Android spyware toolkit, indicating continued investment in mobile-focused espionage operations. The updated malware was tied to the group’s broader surveillance activity and reflects an effort to improve data collection from compromised Android devices, including access to sensitive user information and device content.
The report said the spyware’s development shows a maturing capability set aimed at stealthier and more effective monitoring of targets through mobile malware. The activity reinforces the risk posed by state-aligned or politically motivated actors using Android implants to harvest communications, files, and other intelligence from victims’ phones.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Sophos documents new APT-C-23 Android spyware variants
Sophos published research on newly discovered Android spyware variants attributed to APT-C-23 targeting victims in the Middle East, especially the Palestinian Territories. The report detailed improved persistence, stealth, and command-and-control resilience, and said the malicious apps were reported to Google's Android security team.
ESET publishes analysis of APT-C-23's evolved Android spyware
ESET released a report describing how the APT-C-23 group had evolved its Android spyware tooling and tactics. The reference provides no additional dated milestones beyond the publication of this analysis.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Arid Viper Continued SpyC23 Android Espionage via Fake Messaging Apps
SentinelLABS reported that the **Arid Viper** threat actor continued deploying its `SpyC23` Android spyware in 2022 and 2023 through weaponized applications posing as Telegram-themed tools and a dating-themed app called **Skipped Messenger**. The campaign targeted victims in the Middle East, with a notable focus on Arabic-speaking users, and aligns with the group’s long-running mobile espionage activity linked to Hamas interests. Researchers found substantial code and functionality overlap between recent `SpyC23` samples and older Arid Viper Android malware families including `GnatSpy`, `FrozenCell`, and `VAMP`, reinforcing attribution. The spyware sought broad device permissions to enable location tracking, call monitoring and recording, contact and storage access, notification reading, and silent file downloads, while also using obfuscation, anti-decompilation, and anti-virtualization techniques and command-and-control naming patterns consistent with the actor’s established infrastructure.
Apr 11, 2025
FinSpy Mobile Implants Target iOS and Android Devices
Researchers disclosed new **FinSpy** spyware implants for both **iOS** and **Android**, expanding the surveillance toolkit associated with the commercial monitoring platform. The mobile malware is designed to collect sensitive data from infected phones, including communications and device information, giving operators broad visibility into a target’s activity. The findings indicate that FinSpy’s operators adapted the spyware for modern mobile environments and deployed it in the wild against handheld devices rather than limiting operations to desktop systems. The disclosure highlights the continued evolution of commercial surveillance malware and the growing risk that advanced mobile implants pose to journalists, activists, political targets, and other individuals carrying sensitive data on smartphones.
May 26, 2026
Active Spyware Campaigns Targeting Mobile Messaging Apps and Android Devices
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding a surge in sophisticated spyware campaigns targeting users of popular mobile messaging applications such as Signal, WhatsApp, and Telegram. Threat actors are leveraging commercial spyware and remote access trojans (RATs), employing tactics like social engineering, device-linking QR codes, zero-click exploits, and spoofed app versions to compromise high-value individuals, including government officials. Notable campaigns include the use of Android spyware like ProSpy, ToSpy, and ClayRat, as well as the exploitation of vulnerabilities in iOS, WhatsApp, and Samsung devices to deploy malware such as LANDFALL, with the goal of persistent access and data exfiltration. In a related development, researchers at Certo Software have identified a new Android RAT dubbed RadzaRat, which masquerades as a legitimate file manager app. RadzaRat provides attackers with full remote control over infected devices, supports large-scale file transfers, and features keylogging capabilities to steal sensitive information. Alarmingly, RadzaRat is currently undetectable by all major antivirus solutions and is openly available for download, increasing the risk of widespread abuse. These findings underscore the growing threat posed by advanced spyware and RATs targeting mobile platforms, often bypassing traditional security defenses and exploiting user trust in legitimate-looking applications.
Mar 21, 2026