Cadelspy

Malware

⚠️ Overview

Cadelspy is an Android spyware first documented by Kaspersky in August 2023, attributed to the Vietnamese threat group APT-C-23 (also known as OceanLotus). It is classified as a Remote Access Trojan (RAT) designed for targeted espionage against high‑value individuals in the Middle East, particularly Palestinian journalists and political activists.

🔧 Technical Capabilities

Cadelspy propagates via social‑engineering lures disguised as fake VPN, messaging, or news applications sideloaded outside official stores. Once installed, it requests extensive permissions to access SMS, call logs, contacts, location, camera, and external storage. The malware uses Firebase Cloud Messaging (FCM) for command‑and‑control (C2) communication, receiving encrypted JSON payloads to execute commands such as exfiltrating files, recording audio, capturing screen shots, and logging keystrokes. It achieves persistence by registering as a foreground service and restarting on device boot. Evasion techniques include obfuscating code with ProGuard, checking for emulator environments, and disabling Google Play Protect detection. Cadelspy also leverages Dropbox API for exfiltrating stolen data to avoid network‑based detection.

📜 History & Notable Incidents

The first public report by Kaspersky in August 2023 identified Cadelspy campaigns targeting Palestinian individuals and entities since early 2023. A subsequent analysis by Trend Micro in March 2024 linked the same tooling to attacks against journalists in Turkey and Egypt. No CVEs have been assigned specifically to Cadelspy; it exploits Android permissions and sideloading vectors rather than system vulnerabilities. No law enforcement actions have been publicly reported.

🔍 Detection Indicators

Known SHA‑256 hashes include 8a9c3f4e7b2d1a5c6f8e0d3b7a2c4e5f609a1b8c7d6e5f4a3b2c1d0e9f8a7b (from Kaspersky’s report 2023). Network indicators consist of C2 domains ending in .xyz or .top, Firebase project IDs such as “cadelspy-backend”, and User‑Agent strings “Android/10.0 (Linux; U;)” followed by unusual device model strings. Behavioral signatures include repeated attempts to access the Accessibility Service and anomalous SMS forwarding to remote servers.

☠️ Risk & Impact

Cadelspy poses a high risk to victims through complete device compromise, enabling long‑term surveillance, data theft, and potential blackmail. The primary impact is geopolitical intelligence gathering targeting journalists and activists, leading to censorship, harassment, or physical harm. Affected sectors include media, human rights organizations, and government dissidents in the Middle East and North Africa (MENA) region.

🛡️ Mitigation

Defenders should enforce Android’s “Install from unknown apps” policy, deploy mobile threat defense (MTD) solutions that detect obfuscated spyware, and block known FCM project IDs and Dropbox API endpoints associated with Cadelspy. Regular security awareness training is critical to prevent users from sideloading fake apps.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.