Skip to content

S0421 GolfSpy

GolfSpy is Android spyware deployed by the group Bouncing Golf.1

Item Value
ID S0421
Associated Names
Type MALWARE
Version 1.0
Created 27 January 2020
Last Modified 26 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1433 Access Call Log GolfSpy can obtain the device’s call log.1
mobile T1432 Access Contact List GolfSpy can obtain the device’s contact list.1
mobile T1418 Application Discovery GolfSpy can obtain a list of installed applications.1
mobile T1402 Broadcast Receivers GolfSpy registers for the USER_PRESENT broadcast intent and uses it as a trigger to take photos with the front-facing camera.1
mobile T1429 Capture Audio GolfSpy can record audio and phone calls.1
mobile T1512 Capture Camera GolfSpy can record video.1
mobile T1414 Capture Clipboard Data GolfSpy can obtain clipboard contents.1
mobile T1412 Capture SMS Messages GolfSpy can collect SMS messages.1
mobile T1532 Data Encrypted GolfSpy encrypts data using a simple XOR operation with a pre-configured key prior to exfiltration.1
mobile T1533 Data from Local System GolfSpy can collect local accounts on the device, pictures, bookmarks/histories of the default browser, and files stored on the SD card. GolfSpy can list image, audio, video, and other files stored on the device. GolfSpy can copy arbitrary files from the device.1
mobile T1447 Delete Device Data GolfSpy can delete arbitrary files on the device.1
mobile T1476 Deliver Malicious App via Other Means GolfSpy can install attacker-specified applications.1
mobile T1430 Location Tracking GolfSpy can track the device’s location.1
mobile T1406 Obfuscated Files or Information GolfSpy encodes its configurations using a customized algorithm.1
mobile T1424 Process Discovery GolfSpy can obtain a list of running processes.1
mobile T1513 Screen Capture GolfSpy can take screenshots.1
mobile T1437 Standard Application Layer Protocol GolfSpy exfiltrates data using HTTP POST requests.1
mobile T1426 System Information Discovery GolfSpy can obtain the device’s battery level, network operator, connection information, sensor information, and information about the device’s storage and memory.1

Groups That Use This Software

ID Name References
G0097 Bouncing Golf 1

References

  1. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020. 

Back to top