MagicKarakurt, a commercial spyware, was operational in Southern Europe and Central Asia between October 2018 and January 2022. It specifically targeted Android users and employed various tactics to evade both automated and manual analysis, although it did not employ any known techniques to bypass mobile security solutions. The spyware cleverly disguised itself as legitimate applications from mobile phone carriers and manufacturers.
To receive commands, MagicKarakurt utilized either Firebase Cloud Messaging or Huawei Mobile Services. During its operation, the spyware would download modules from a secondary HTTP server and execute them. Additionally, it actively monitored system events and relay