Skip to content

S0408 FlexiSpy

FlexiSpy is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.12

FlexiSpy markets itself as a parental control and employee monitoring application.3

Item Value
ID S0408
Associated Names
Version 1.0
Created 04 September 2019
Last Modified 14 October 2019
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1435 Access Calendar Entries FlexiSpy can collect the device calendars.2
mobile T1432 Access Contact List FlexiSpy can collect device contacts.2
mobile T1409 Access Stored Application Data FlexiSpy uses a FileObserver object to monitor the Skype and WeChat database file and shared preferences to retrieve chat messages, account information, and profile pictures of the account owner and chat participants. FlexiSpy can also spy on popular applications, including Facebook, Hangouts, Hike, Instagram, Kik, Line, QQ, Snapchat, Telegram, Tinder, Viber, and WhatsApp.1
mobile T1418 Application Discovery FlexiSpy can retrieve a list of installed applications.4
mobile T1402 Broadcast Receivers FlexiSpy uses root access to establish reboot hooks to re-install the application from /data/misc/adn.1 At boot, FlexiSpy spawns daemons for process monitoring, call monitoring, call managing, and system.1
mobile T1429 Capture Audio FlexiSpy can record both incoming and outgoing phone calls, as well as microphone audio.2
mobile T1512 Capture Camera FlexiSpy can record video.2
mobile T1412 Capture SMS Messages FlexiSpy can intercept SMS and MMS messages as well as monitor messages for keywords.24
mobile T1533 Data from Local System FlexiSpy can monitor device photos and can also access browser history and bookmarks.4
mobile T1447 Delete Device Data FlexiSpy can delete data from a compromised device.2
mobile T1417 Input Capture FlexiSpy can record keystrokes and analyze them for keywords.4
mobile T1430 Location Tracking FlexiSpy can track the device’s location.2
mobile T1400 Modify System Partition FlexiSpy installs boot hooks into /system/su.d.1
mobile T1507 Network Information Discovery FlexiSpy can collect a list of known Wi-Fi access points.4
mobile T1406 Obfuscated Files or Information FlexiSpy encrypts its configuration file using AES.1
mobile T1513 Screen Capture FlexiSpy can take screenshots of other applications.4
mobile T1508 Suppress Application Icon FlexiSpy is capable of hiding SuperSU’s icon if it is installed and visible.1 FlexiSpy can also hide its own icon to make detection and the uninstallation process more difficult.4
mobile T1509 Uncommonly Used Port FlexiSpy can communicate with the command and control server over ports 12512 and 12514.1


Back to top