Skip to content

S0324 SpyDealer

SpyDealer is Android malware that exfiltrates sensitive data from Android devices. 1

Item Value
ID S0324
Associated Names
Version 1.2
Created 17 October 2018
Last Modified 24 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1429 Audio Capture SpyDealer can record phone calls and surrounding audio.1
mobile T1645 Compromise Client Software Binary SpyDealer maintains persistence by installing an Android application package (APK) on the system partition.1
mobile T1407 Download New Code at Runtime SpyDealer downloads and executes root exploits from a remote server.1
mobile T1624 Event Triggered Execution -
mobile T1624.001 Broadcast Receivers SpyDealer registers the broadcast receiver to listen for events related to device boot-up.1
mobile T1404 Exploitation for Privilege Escalation SpyDealer uses the commercial rooting app Baidu Easy Root to gain root privilege and maintain persistence on the victim.1
mobile T1430 Location Tracking SpyDealer harvests location data from victims.1
mobile T1644 Out of Band Data SpyDealer enables remote control of the victim through SMS channels.1
mobile T1636 Protected User Data -
mobile T1636.002 Call Log SpyDealer harvests phone call history from victims.1
mobile T1636.003 Contact List SpyDealer harvests contact lists from victims.1
mobile T1636.004 SMS Messages SpyDealer harvests SMS and MMS messages from victims.1
mobile T1513 Screen Capture SpyDealer abuses Accessibility features to steal messages from popular apps such as WeChat, Skype, Viber, and QQ.1
mobile T1409 Stored Application Data SpyDealer exfiltrates data from over 40 apps such as WeChat, Facebook, WhatsApp, Skype, and others.1
mobile T1422 System Network Configuration Discovery SpyDealer harvests the device phone number, IMEI, and IMSI.1
mobile T1512 Video Capture SpyDealer can record video and take photos via front and rear cameras.1