MalwareUsed by 1 actor

FrozenCell

FrozenCell is an Android malware family associated in reporting with Arid Viper, also known as Desert Falcon or APT-C-23. Facebook’s April 2021 reporting states that Arid Viper’s Android tooling shares many similarities with malware previously reported as FrozenCell and VAMP. The broader Arid Viper activity was described as state-sponsored cyber espionage primarily targeting individuals and organizations in Palestine, including government officials, Fatah members, student groups, and security forces.

Based on the provided content, FrozenCell has surveillance and data theft capabilities on Android devices. Reported capabilities include collecting phone metadata such as cell location, mobile country code (MCC), and mobile network code (MNC); gathering device manufacturer, model, and serial number; reading SMS messages for exfiltration; and retrieving device images for exfiltration. These behaviors indicate device profiling, communications collection, and theft of locally stored media.

High-confidence indicators of compromise specific to FrozenCell are not provided in the content. The content also does not provide a distinct infection vector unique to FrozenCell itself, beyond the broader note that Arid Viper’s Android malware was distributed via social engineering and impersonated dating, networking, and regional banking applications in the Middle East, often requiring installation from third-party sources.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Arid Viper

The Android tooling used by Arid Viper shares many similarities with malware previously reported as FrozenCell and VAMP.

via about fbabout.fb.com

MITRE ATT&CK

Techniques & procedures

15 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566.002Spearphishing LinkEvidence1

This spike in account creation towards the later half of 2019 was observed alongside an increase in attempts to distribute both iOS and Android malware as well as phish credentials from users.

Execution

2 techniques

T1204User ExecutionEvidence1

In all cases the successful installation of these tools did not require any exploits. This suggests that Arid Viper operators continue to heavily rely on social engineering to distribute their malware.

T1204.002Malicious FileEvidence1

Android malware was typically hosted on convincing looking attacker-controlled phishing sites.

Stealth

3 techniques

T1027Obfuscated Files or InformationEvidence1

The main changes from earlier research centered primarily around code obfuscation being added by those developing this malware.

T1036MasqueradingEvidence1

Facebook found recent variants pretending to be popular Android applications for dating, networking, and regional banking in the Middle East.

T1564.001Hidden Files and DirectoriesEvidence1

the values for those C2 domains first contacted weren’t hardcoded in the Java layer, where they would be clearly visible, instead they were encrypted and stored in a separate ELF binary.

Discovery

1 technique

T1082System Information DiscoveryEvidence1

AbstractEmu can collect device IP address and SIM information; Android/SpyAgent has collected device network information, such as the IMEI and the phone number; ANDROIDOS_ANSERVER.A gathers the device IMEI and IMSI; many listed mobile malware families collect IMEI, IMSI, ICCID, MEID, serial number, phone number, MAC address, IP address, carrier, MCC/MNC, and related device/network identifiers.

Collection

5 techniques

T1005Data from Local SystemEvidence3

Retrieve photos from the camera roll ... Retrieve contacts ... Retrieve text messages ... Search for and return the path of files with a doc or PDF extension

T1113Screen CaptureEvidence1

The analyzed Arid Viper Android malware contained the following functionality: • Take screenshots or record video

T1123Audio CaptureEvidence1

Phenakite periodically recording audio and notifying C2 infrastructure... Similarly, Phenakite periodically uses the camera of a compromised device to take photos

T1125Video CaptureEvidence1

Phenakite periodically uses the camera of a compromised device to take photos and sends these automatically to attacker infrastructure.

T1560Archive Collected DataEvidence1

Search for files of specific types and add them to RAR archives for exfiltration

Command and Control

2 techniques

T1001Data ObfuscationEvidence1

Use Base64 to obfuscate command and control communications

T1071Application Layer ProtocolEvidence1

Some Primewire samples utilize “multipart/form-data” for command and control check-ins... other samples combine the C2 parameters into a single “application/x-www-form-urlencoded” POST body.

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence2

uploading any files present before recursively uploading any files in subdirectories.

INDICATORS OF COMPROMISE

IOCs tracked for this family

38 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

33 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

5 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app—

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

mitre attack websiteNews

Apr 1, 2021

Data from Local System, Technique T1533 - Mobile | MITRE ATT&CK®

Android malware that retrieves device images for exfiltration.

mitre attack websiteNews

Apr 1, 2021

Data from Local System, Technique T1533 - Mobile | MITRE ATT&CK®

Malware that retrieves device images for exfiltration.

mitre attack websiteNews

Apr 1, 2021

Data from Local System, Technique T1533 - Mobile | MITRE ATT&CK®

Malware that retrieves device images for exfiltration.

mitre attack websiteNews

Jan 18, 2018

System Information Discovery, Technique T1426 - Mobile | MITRE ATT&CK®

Mobile malware that gathers manufacturer, model, and serial number information from devices.

+6 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching38

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping15

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.