S0408 FlexiSpy
FlexiSpy is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.12
FlexiSpy markets itself as a parental control and employee monitoring application.3
| Item | Value |
|---|---|
| ID | S0408 |
| Associated Names | |
| Type | TOOL |
| Version | 1.0 |
| Created | 04 September 2019 |
| Last Modified | 14 October 2019 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1429 | Audio Capture | FlexiSpy can record both incoming and outgoing phone calls, as well as microphone audio.2 |
| mobile | T1533 | Data from Local System | FlexiSpy can monitor device photos and can also access browser history and bookmarks.4 |
| mobile | T1624 | Event Triggered Execution | - |
| mobile | T1624.001 | Broadcast Receivers | FlexiSpy uses root access to establish reboot hooks to re-install the application from /data/misc/adn.1 At boot, FlexiSpy spawns daemons for process monitoring, call monitoring, call managing, and system.1 |
| mobile | T1628 | Hide Artifacts | - |
| mobile | T1628.001 | Suppress Application Icon | FlexiSpy is capable of hiding SuperSU’s icon if it is installed and visible.1 FlexiSpy can also hide its own icon to make detection and the uninstallation process more difficult.4 |
| mobile | T1625 | Hijack Execution Flow | - |
| mobile | T1625.001 | System Runtime API Hijacking | FlexiSpy installs boot hooks into /system/su.d.1 |
| mobile | T1630 | Indicator Removal on Host | - |
| mobile | T1630.002 | File Deletion | FlexiSpy can delete data from a compromised device.2 |
| mobile | T1417 | Input Capture | - |
| mobile | T1417.001 | Keylogging | FlexiSpy can record keystrokes and analyze them for keywords.4 |
| mobile | T1430 | Location Tracking | FlexiSpy can track the device’s location.2 |
| mobile | T1509 | Non-Standard Port | FlexiSpy can communicate with the command and control server over ports 12512 and 12514.1 |
| mobile | T1406 | Obfuscated Files or Information | FlexiSpy encrypts its configuration file using AES.1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.001 | Calendar Entries | FlexiSpy can collect the device calendars.2 |
| mobile | T1636.003 | Contact List | FlexiSpy can collect device contacts.2 |
| mobile | T1636.004 | SMS Messages | FlexiSpy can intercept SMS and MMS messages as well as monitor messages for keywords.24 |
| mobile | T1513 | Screen Capture | FlexiSpy can take screenshots of other applications.4 |
| mobile | T1418 | Software Discovery | FlexiSpy can retrieve a list of installed applications.4 |
| mobile | T1409 | Stored Application Data | FlexiSpy uses a FileObserver object to monitor the Skype and WeChat database file and shared preferences to retrieve chat messages, account information, and profile pictures of the account owner and chat participants. FlexiSpy can also spy on popular applications, including Facebook, Hangouts, Hike, Instagram, Kik, Line, QQ, Snapchat, Telegram, Tinder, Viber, and WhatsApp.1 |
| mobile | T1421 | System Network Connections Discovery | FlexiSpy can collect a list of known Wi-Fi access points.4 |
| mobile | T1512 | Video Capture | FlexiSpy can record video.2 |