Arid Viper Continued SpyC23 Android Espionage via Fake Messaging Apps
SentinelLABS reported that the Arid Viper threat actor continued deploying its SpyC23 Android spyware in 2022 and 2023 through weaponized applications posing as Telegram-themed tools and a dating-themed app called Skipped Messenger. The campaign targeted victims in the Middle East, with a notable focus on Arabic-speaking users, and aligns with the group’s long-running mobile espionage activity linked to Hamas interests.
Researchers found substantial code and functionality overlap between recent SpyC23 samples and older Arid Viper Android malware families including GnatSpy, FrozenCell, and VAMP, reinforcing attribution. The spyware sought broad device permissions to enable location tracking, call monitoring and recording, contact and storage access, notification reading, and silent file downloads, while also using obfuscation, anti-decompilation, and anti-virtualization techniques and command-and-control naming patterns consistent with the actor’s established infrastructure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Arid Viper continues SpyC23 Android targeting in 2022 and 2023
SentinelLABS reported that Arid Viper continued distributing SpyC23 Android spyware during 2022 and 2023 through weaponized apps masquerading as Telegram-themed applications and a dating-themed app called Skipped Messenger. The activity targeted victims in the Middle East, with a notable focus on Arabic-speaking users.
SentinelLABS links newer SpyC23 samples to older Arid Viper malware
Researchers identified substantial code, package, class, and functionality overlaps between newer SpyC23 samples and older Arid Viper Android malware families including GnatSpy, FrozenCell, and VAMP. The analysis strengthened attribution of these Android espionage toolsets to Arid Viper.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Spyware Campaigns Targeting Mobile Messaging Apps and Android Devices
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding a surge in sophisticated spyware campaigns targeting users of popular mobile messaging applications such as Signal, WhatsApp, and Telegram. Threat actors are leveraging commercial spyware and remote access trojans (RATs), employing tactics like social engineering, device-linking QR codes, zero-click exploits, and spoofed app versions to compromise high-value individuals, including government officials. Notable campaigns include the use of Android spyware like ProSpy, ToSpy, and ClayRat, as well as the exploitation of vulnerabilities in iOS, WhatsApp, and Samsung devices to deploy malware such as LANDFALL, with the goal of persistent access and data exfiltration. In a related development, researchers at Certo Software have identified a new Android RAT dubbed RadzaRat, which masquerades as a legitimate file manager app. RadzaRat provides attackers with full remote control over infected devices, supports large-scale file transfers, and features keylogging capabilities to steal sensitive information. Alarmingly, RadzaRat is currently undetectable by all major antivirus solutions and is openly available for download, increasing the risk of widespread abuse. These findings underscore the growing threat posed by advanced spyware and RATs targeting mobile platforms, often bypassing traditional security defenses and exploiting user trust in legitimate-looking applications.
Mar 21, 2026
APT-C-23 Upgrades Android Spyware for Mobile Espionage
ESET reported that the **APT-C-23** threat group evolved its Android spyware toolkit, indicating continued investment in mobile-focused espionage operations. The updated malware was tied to the group’s broader surveillance activity and reflects an effort to improve data collection from compromised Android devices, including access to sensitive user information and device content. The report said the spyware’s development shows a maturing capability set aimed at stealthier and more effective monitoring of targets through mobile malware. The activity reinforces the risk posed by state-aligned or politically motivated actors using Android implants to harvest communications, files, and other intelligence from victims’ phones.
May 26, 2026
Android Malware and Spyware Campaigns Using Trusted Platforms and Social Engineering Lures
Two separate Android-focused threat operations were reported, both relying on social engineering to drive manual installation of malicious apps. Bitdefender documented a campaign that abuses **Hugging Face** as a trusted hosting/CDN distribution point for an Android credential-stealing payload targeting popular financial and payment services. Victims are lured into installing a dropper app named **TrustBastion** via scareware-style ads; after installation it displays a fake Google Play “mandatory update” flow, then contacts infrastructure associated with `trustbastion[.]com` which redirects to a Hugging Face dataset repository hosting the final APK. The actor used **server-side polymorphism** to generate new payload variants roughly every 15 minutes, resulting in thousands of variants and rapid repository churn (reported as >6,000 commits over ~29 days); after takedown, the operation reportedly resurfaced under a new name (“**Premium Club**”) with refreshed branding. ESET separately identified an Android spyware campaign tracked as **GhostChat** that uses **romance-scam** tactics to target individuals in Pakistan. The malicious app is disguised as a chat/dating service but primarily functions as a surveillance tool; it presents “locked” female profiles with passcodes (hardcoded in the app) to create a sense of exclusivity, then routes victims into WhatsApp chats tied to Pakistani numbers likely controlled by the operator. The app was distributed via unofficial sources (not Google Play) and is blocked by Google Play Protect by default; ESET also linked the same actor to a broader surveillance effort including a **ClickFix** compromise chain and a WhatsApp device-linking attack, using websites impersonating Pakistani government organizations as lures.
Mar 21, 2026