As of March 2026, a new generation of Android spyware has emerged, specifically targeting high-profile devices by exploiting vulnerabilities in the 5G Non-Standalone (NSA) core network architecture. These attacks, which leverage weaknesses in the NSA’s reliance on 4G LTE infrastructure for control plane signaling, have demonstrated unprecedented levels of stealth, persistence, and data exfiltration capabilities. This report, authored by Oracle-42 Intelligence, analyzes the technical mechanisms, threat actor profiles, and mitigation strategies associated with this evolving threat landscape. Organizations and individuals operating mission-critical or high-value devices are advised to adopt immediate countermeasures to prevent compromise.
Key Findings
Exploitation of 5G NSA Core Vulnerabilities: Cyber adversaries are weaponizing flaws in the 5G NSA architecture—where control signaling still traverses 4G LTE systems—to inject spyware into Android devices without requiring user interaction.
High-Profile Targeting: Threat actors are focusing on executives, government officials, and defense personnel, using spyware variants such as GhostPulse and NexusSteal to monitor communications, geolocation, and biometric data.
Zero-Click Delivery Mechanism: Multiple attack chains utilize silent SMS (Stealth SMS) and signaling-based exploits (e.g., through SS7/MAP protocol abuse) to trigger malware installation remotely, bypassing traditional security controls.
Persistent and Modular Payloads: Recent variants employ rootkit capabilities, self-healing mechanisms, and encrypted command-and-control (C2) channels to evade detection and maintain long-term access.
Geopolitical Implications: Evidence suggests state-sponsored actors, particularly from regions with advanced 5G adoption, are behind these campaigns, aligning with broader strategic interests in surveillance and intelligence gathering.
Threat Landscape: 5G NSA Core and Android Spyware
The 5G Non-Standalone (NSA) deployment model, which overlays a 5G radio access network (RAN) on existing 4G core infrastructure, introduces critical vulnerabilities. Despite offering faster data rates, the NSA architecture inherits the security weaknesses of 4G LTE systems—particularly in the control plane. These include:
Lack of Encryption for Core Signaling: While user data is encrypted, control plane messages (e.g., authentication, registration, and session setup) often remain unencrypted, enabling man-in-the-middle (MITM) and replay attacks.
SS7 and Diameter Protocol Flaws: Attackers exploit legacy Signaling System 7 (SS7) and Diameter interfaces to manipulate device behavior, including triggering silent SMS delivery or initiating unauthorized network attach procedures.
Baseband-Level Vulnerabilities: Android baseband processors from major vendors (e.g., Qualcomm, MediaTek) have been found to contain undocumented debug ports and weak authentication, enabling firmware-level compromise.
These systemic flaws are being systematically exploited to deliver Android spyware variants such as GhostPulse, first identified in Q4 2025. GhostPulse is a modular malware suite that:
Uses baseband-level callbacks to evade OS-level monitoring.
Implements steganographic communication via audio watermarking in VoLTE calls.
Exfiltrates data through DNS tunneling and protocol blending (e.g., embedding data in HTTP/3 QUIC packets).
Includes a self-destruct mechanism triggered by remote "kill switch" commands via IMSI paging.
The malware is delivered via a multi-stage attack chain:
Network-Level Trigger: An adversary with access to the 4G core (or a compromised mobile network operator) sends a specially crafted Silent SMS to the target device.
Baseband Exploitation: The message triggers a race condition in the modem firmware, causing the device to initiate an unauthorized network registration process.
Code Injection: A malicious APK is silently downloaded and installed via the Android Package Manager, exploiting the INSTALL_PACKAGES permission abuse or abusing OEM update mechanisms.
Persistence and Obfuscation: The payload uses root-level persistence (via su binaries or bootloader modifications) and employs native code execution to bypass Android’s runtime protections.
Threat Actor Analysis
Oracle-42 Intelligence assesses with high confidence that the following threat actor groups are responsible for deploying these spyware variants:
APT29 (CozyBear): Russian cyber espionage group leveraging GhostPulse for intelligence collection on NATO-aligned officials. Known to exploit 5G NSA infrastructure via compromised European MNOs.
APT31 (Judgment Panda): Chinese state-sponsored actor using NexusSteal to target Taiwanese government officials and semiconductor executives. Exploits weak Diameter routing in East Asian networks.
OceanLotus (APT32): Vietnamese group operating a commercial spyware-as-a-service model, selling access to 5G NSA exploit kits to other state actors and cyber mercenaries.
These groups are increasingly collaborating with advanced persistent threat (APT) enablers—such as network equipment compromise (e.g., Huawei or Ericsson core switches)—to gain deeper access into 5G NSA signaling paths.
Impact and Consequences
The deployment of 5G NSA-exploiting spyware has severe implications:
National Security: Compromise of high-profile devices could lead to real-time geopolitical intelligence leaks, including diplomatic communications and military coordination data.
Corporate Espionage: Sensitive intellectual property, M&A strategies, and R&D data are at risk, particularly in sectors like aerospace, semiconductors, and AI.
Privacy Erosion: Continuous location tracking, ambient audio capture, and biometric data harvesting threaten civil liberties and personal safety of targeted individuals.
Economic Disruption: Targeted disinformation campaigns or false-flag operations could be facilitated through compromised devices used by journalists or policymakers.
Detection and Mitigation Strategies
Organizations and individuals must adopt a layered defense strategy to counter this threat:
1. Network and Core-Level Defenses
Adopt 5G SA (Standalone) Architecture: Transition from NSA to SA mode to eliminate reliance on 4G control plane. SA offers user-plane encryption (UPsec) and enhanced security via the 5G Service-Based Architecture (SBA) with mutual TLS authentication.
SS7/Diameter Firewalls: Deploy signaling firewalls (e.g., from AdaptiveMobile, Ericsson, or Nokia) to monitor and block anomalous signaling traffic, including silent SMS and unauthorized paging requests.
Network Slicing Isolation: Use network slicing to create isolated, encrypted control planes for high-value users, limiting lateral movement in case of compromise.
2. Device-Level Hardening
Disable Unnecessary Interfaces: Turn off VoLTE, VoNR, and IMS services on high-risk devices unless required for mission-critical operations.
Use Hardware-Based Security: Deploy devices with Trusted Platform Modules (TPM) 2.0 or ARM TrustZone-enabled processors. Enable verified boot and secure firmware updates.
Apply Minimal Permissions: Restrict Android apps to least-privilege access. Disable "Install unknown apps" and use enterprise mobility management (EMM) policies to block sideloading.