• First known sample

  • Discovery

  • Current status

    Inactive since 2022
  • Type

  • Targeted platforms

  • TOP targeted countries

    Kazakhstan , Romania , Russia , The United Kingdom
  • The way of propagation

    APK downloaded from a website
  • Purpose/Functions

  • Implant

    MagicKarakurt Plugins

  • Description

    MagicKarakurt, a commercial spyware, was operational in Southern Europe and Central Asia between October 2018 and January 2022. It specifically targeted Android users and employed various tactics to evade both automated and manual analysis, although it did not employ any known techniques to bypass mobile security solutions. The spyware cleverly disguised itself as legitimate applications from mobile phone carriers and manufacturers.
    To receive commands, MagicKarakurt utilized either Firebase Cloud Messaging or Huawei Mobile Services. During its operation, the spyware would download modules from a secondary HTTP server and execute them. Additionally, it actively monitored system events and relay