GnatSpy is a mobile malware family used to target Android-powered devices. The malware is believed to be a new variant of the VAMP malware as the two share some C2 infrastructure. The APT threat group known as "Two-tailed Scorpion" or "APT-C-23" have targeted Android users using these malware variants via malicious apps in order to obtain images, text messages, contact information, call history, and other sensitive data from the infected devices. GnatSpy, however, is a more modular and sophisticated piece of malware, incorporating capabilities to capture additional information about the device's battery, memory and storage usage, and SIM card status. It contains several functions targeting newer Android operating system versions, such as Marshmallow and Nougat. To evade detection, the malicious app's code uses Java annotations and reflection methods and encodes its C2 server. However, a function call is in this code that provides a C2 URL that, when accessed, sends back the location of the actual C2 server. The C2 domains have been recently registered, suggesting the threat actors are still active despite reporting of their activities.

Technical Details

  • Trend Micro provides technical analysis on GnatSpy here.
Android MalwareNJCCICGnatSpy