Phenakite
Phenakite is a custom iOS surveillance implant attributed in public reporting to Arid Viper, also known as Desert Falcon or APT-C-23. It was described by Facebook in April 2021 as a previously unreported iOS component embedded in a trojanized but functional chat application called Magic Smile, which used open-source RealtimeChat code for legitimate chat features. The malware was distributed through social engineering, including tricking victims into installing a mobile configuration profile and a device-specific signed app, allowing installation on non-jailbroken iPhones. Public reporting also states that the malicious IPA bundled the publicly available Osiris jailbreak and Sock Port exploit to elevate privileges after installation, with reported support for 64-bit devices on iOS 11.2 to 11.3.1 via Osiris and broader support from iOS 10.0 to 12.2 via Sock Port, potentially including 12.4 and later.
Reported capabilities include reading SMS messages; retrieving contacts; collecting device metadata; retrieving photos; silently recording audio, including phone call audio; taking photos with the device camera; and collecting and exfiltrating WhatsApp media, photos, and files with specific extensions such as .pdf and .doc. Reporting also states it could retrieve content sent or received via the trojanized chat application and exfiltrate SQLite databases including ChatStorage.sqlite and sms.db. During sign-up flows, Phenakite could redirect victims to phishing pages for iCloud and Facebook credential theft.
The activity was associated with cyber-espionage targeting primarily Palestinian individuals and organizations, including Palestinian government officials, Fatah members, student groups, and security forces. Facebook reported no evidence that Phenakite was widely deployed and assessed it was used sparingly. Samples were found first on a third-party mobile app distribution site, including zc.pgyer[.]com, and later on Arid Viper-controlled infrastructure. Additional reported artifacts included the team name "Brenda Braun" and team identifier "J22DGC9C5A" in some samples, and an embedded provisioning profile in one Magic Smile sample containing 74 unique iOS device identifiers. Apple reportedly revoked a developer certificate associated with the operation, disrupting Phenakite distribution at the time of reporting.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Arid Viper used custom iOS surveillanceware which has not been previously reported and reflects a tactical shift. We call this iOS component Phenakite...
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesIf socially engineered, the victim must first be tricked into visiting an unofficial app store, third party app development site, or attacker controlled website hosting Phenakite.
Arid Viper has also utilized phishing emails and links to phishing web pages that spoof popular web services including Facebook and Yahoo email.
This spike in account creation towards the later half of 2019 was observed alongside an increase in attempts to distribute both iOS and Android malware as well as phish credentials from users.
Execution
2 techniquesIn all cases the successful installation of these tools did not require any exploits. This suggests that Arid Viper operators continue to heavily rely on social engineering to distribute their malware.
Android malware was typically hosted on convincing looking attacker-controlled phishing sites.
Privilege Escalation
1 techniqueTo circumvent that, Phenakite comes bundled with the publicly available Osiris jailbreak and also includes the Sock Port exploit.
Stealth
2 techniquesFacebook found recent variants pretending to be popular Android applications for dating, networking, and regional banking in the Middle East.
Phenakite comes bundled with the publicly available Osiris jailbreak and also includes the Sock Port exploit.
Credential Access
1 techniqueThis malware could also direct victims to phishing pages for Facebook and iCloud in order to steal credentials for those services.
Collection
3 techniquesRetrieve photos from the camera roll ... Retrieve contacts ... Retrieve text messages ... Search for and return the path of files with a doc or PDF extension
Phenakite periodically recording audio and notifying C2 infrastructure... Similarly, Phenakite periodically uses the camera of a compromised device to take photos
Phenakite periodically uses the camera of a compromised device to take photos and sends these automatically to attacker infrastructure.
Command and Control
1 techniqueSome Primewire samples utilize “multipart/form-data” for command and control check-ins... other samples combine the C2 parameters into a single “application/x-www-form-urlencoded” POST body.
Exfiltration
1 techniqueuploading any files present before recursively uploading any files in subdirectories.
IOCs tracked for this family
9 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
iOS spyware capable of recording calls, stealing WhatsApp media, photos, selected files, and redirecting victims to phishing pages to steal credentials.
Phenakite is identified as a named iOS malware sample/family.
Android malware that exfiltrates WhatsApp media, photos, and selected document types.
Malware that steals WhatsApp media, photos, and selected document types from devices.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.