Skip to content

S0324 SpyDealer

SpyDealer is Android malware that exfiltrates sensitive data from Android devices. 1

Item Value
ID S0324
Associated Names
Version 1.2
Created 17 October 2018
Last Modified 15 October 2019
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1433 Access Call Log SpyDealer harvests phone call history from victims.1
mobile T1432 Access Contact List SpyDealer harvests contact lists from victims.1
mobile T1409 Access Stored Application Data SpyDealer exfiltrates data from over 40 apps such as WeChat, Facebook, WhatsApp, Skype, and others.1
mobile T1438 Alternate Network Mediums SpyDealer enables remote control of the victim through SMS channels.1
mobile T1402 Broadcast Receivers SpyDealer registers the broadcast receiver to listen for events related to device boot-up.1
mobile T1429 Capture Audio SpyDealer can record phone calls and surrounding audio.1
mobile T1512 Capture Camera SpyDealer can record video and take photos via front and rear cameras.1
mobile T1412 Capture SMS Messages SpyDealer harvests SMS and MMS messages from victims.1
mobile T1407 Download New Code at Runtime SpyDealer downloads and executes root exploits from a remote server.1
mobile T1404 Exploit OS Vulnerability SpyDealer uses the commercial rooting app Baidu Easy Root to gain root privilege and maintain persistence on the victim.1
mobile T1430 Location Tracking SpyDealer harvests location data from victims.1
mobile T1400 Modify System Partition SpyDealer maintains persistence by installing an Android application package (APK) on the system partition.1
mobile T1513 Screen Capture SpyDealer abuses Accessibility features to steal messages from popular apps such as WeChat, Skype, Viber, and QQ.1
mobile T1422 System Network Configuration Discovery SpyDealer harvests the device phone number, IMEI, and IMSI.1


Back to top