GnatSpy Android Mobile Malware
GnatSpy is a family of malware which includes threats such as VAMP and FrozenCell. This family of mobile malware targets images, text messages, contacts and call history on infected devices. It can connect to Command and Control (C2) domains which can be used to exfiltrate data.
The attackers send malicious files directly to the device for the users to download and install.
The communication with the C2 servers is encoded to avoid detection. Below shows the URL.
The following domains were used by various C&C servers:
- aryastark[.]info
- cecilia-gilbert[.]com
- cerseilannister[.]info
- claire-browne[.]info
- daario-naharis[.]info
- harvey-ross[.]info
- jorah-mormont[.]info
- kaniel-outis[.]info
- kristy-milligan[.]website
- lagertha-lothbrok[.]info
- max-eleanor[.]info
- olivia-hartman[.]info
- ragnar-lothbrok[.]info
- rose-sturat[.]info
- saratancredi[.]info
- useraccount[.]website
- victor-stewart[.]info
Apps/files with the following hashes are connected to GnatSpy:
| SHA256 | Package Name | Label |
| 14c846939641eb575f78fc8f1ecb2dc76979a5e08366e1809be24fad240f6ad6 | com.app.voice | Voice |
| 1b1bff4127c9f868f14bc8f2526358cfc9ff1259b7069ab116e7c52e43f2c669 | com.messenger.hike | Android Setting |
| 1c0e3895f264ac51e185045aa2bf38102da5b340eb3c3c3f6aacb7476c294d62 | com.app.updates | Messenger Update |
| 22078e0d00d6a0f0441b3777e6a418170e3a9e4cce8141f0da8af044fdc1e266 | com.myapps.update | Facebook Update |
| 232807513c2d3e97bfcc64372d360bd9f7b6b782bd4083e91f09f2882818c0c5 | com.myapps.update | WhatsApp Update |
| 313ae27ec66e533f7224d99c1a0c254272818d031456359d3dc85f02f21fd992 | com.app.go | Android Setting |
| 377716c6a2b73c94d3307e9f2ea1a5b3774fa42df452c0867e7384eb45422e4f | com.apps.voice | Android Setting |
| 3c604f5150ea1af994e7411e2816c277ff4f8a02b94d50b6cf4cc951430414bf | com.appdev.update | Android System |
| 4842cff6fc7a7a413ceed132f735eee3121ffb03f98453dae966f900e341dd52 | com.updates.voice | VoiceChat |
| 4e681d242bebf64bbba3f0da91ad109dd14f26e97cd62f306e9fca1603a0009e | com.app.lets | Android Setting |
| 544a1c303ef021f0d54e62a6147c7ae9cd0c84265e302f6da5ed08b616e45b78 | com.myapps.update | Facebook Update |
| 566385bff532d1eb26b49363b8d91ed6881f860ffa4b5ddb2bb5fe068bb6c87e | com.app.lets | Android Setting |
| 58ddd057ec7f2420ce94cf3fc52794d0f62603ca7eaf8c5911f55b8b100ac493 | com.chatts.me | Chat Me |
| 5de5b948aeca6e0811f9625dec48601133913c24e419ce99f75596cb04503141 | com.fakebook | App System Installer |
| 6b0325b7020f203d38664be732145c5f9f95fda875c81d136b031618900210a4 | com.myapps.update | Messenger Update |
| 6befd9dac5286f72516bba531371dc7769d9efecf56c8a44ce0c8de164662c6b | com.app.go | Android Setting |
| 76962d334b894349a512d8e533c8373b71389f1d20fd814cd8e7ecc89ed8530a | com.messenger.hike | Android Setting |
| 8da31d3102524d6a2906d1ffa1118edf39cf54d72456937bfbae5546e09a3c32 | com.app.go | Android Setting |
| 91b3eeb8ba6853cab5f2669267cf9bccdba389149cc8b2c32656af62bd016b04 | com.facebookupdate | Facebook Update |
| 93da08ced346b9958e34bda4fe41062572253472c762a3a837e0dd368fffec8b | com.fakebook | Android Settings |
| a841b71431e19df7e925d10a6e43a965fc68ccbb6523b447de82c516cfba93a8 | com.app.lets | Android Setting |
| af65aac4f3cf13c88422675b5261acc6c7b5d0af75323a516989a75b0374eddd | com.app.chat | Chat |
| b6326e17ec8307edf63e731c635fbfa8469d9264cb414592e2d2a5c71093d809 | com.apps.voice | Android Setting |
| b7007d2039abaf8b8b0db77241d400a8c4d3b48c6fece5d80dc69905d4d272c3 | com.apps.voice | Android Setting |
| c20438ba8c9e008c1e2eb4343f177757fc260437aeac52df61b156671b07ac14 | com.myapps.update | Facebook Update |
| ca8d892a616feaf240bd9e05a250db8ed4d56b7db6348bbaa415dec1e0c626f3 | com.app.voice | VoiceChat |
| ce4190030372465eceec60ec1687023c99f95a11b9a558f5431074de20747b81 | com.app.update | WhatsApp Update |
| d17308fb06760de1b06d03448a01f3762f2712c1a66b50c8d5f4ac061d6deb27 | com.apps.lets | Android Setting |
| e2cb9140c47492e7931e0b6629caf5c03cbc4e7a28c7976a28e3158b5d1c67fb | com.app.chatous | Android Setting |
| ebc338f3988e96e9fab53854428ea91dbabd3ee9875464008eafd52c687c3625 | com.chat.bestchat | Best Chat |
| ec1ed9b064ffbd237e1808d4e156d011b8b77402042b7a6fee92923b69ba65d4 | com.app.lets | Android Setting |
| efc4a2014f73996fb5d90406a55aa14ac89407fd03cfc89d18ee3251d9fd1af8 | com.chat.bestchat | Best Chat |
| f890ba41f6d7d2f2fb4da477adc975be7a3b8068686ff5e863d1a53e56acdfac | com.facebook.update | Facebook Update |
Affected Platforms
- All Android Devices
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.