Skip to content

S0425 Corona Updates

Corona Updates is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.1

Item Value
ID S0425
Associated Names Wabi Music, Concipit1248
Version 1.1
Created 24 April 2020
Last Modified 11 September 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Wabi Music 1
Concipit1248 1

Techniques Used

Domain ID Name Use
mobile T1433 Access Call Log Corona Updates can collect the device’s call log.1
mobile T1432 Access Contact List Corona Updates can collect device contacts.1
mobile T1517 Access Notifications Corona Updates can collect messages from GSM, WhatsApp, Telegram, Facebook, and Threema by reading the application’s notification content.1
mobile T1429 Capture Audio Corona Updates can record MP4 files and monitor calls.1
mobile T1512 Capture Camera Corona Updates can take pictures using the camera and can record MP4 files.1
mobile T1412 Capture SMS Messages Corona Updates can collect SMS messages.1
mobile T1533 Data from Local System Corona Updates can collect voice notes, device accounts, and gallery images.1
mobile T1475 Deliver Malicious App via Authorized App Store Corona Updates has been distributed through the Play Store.1
mobile T1430 Location Tracking Corona Updates can track the device’s location.1
mobile T1582 SMS Control Corona Updates can send SMS messages.1
mobile T1437 Standard Application Layer Protocol Corona Updates communicates with the C2 server using HTTP requests and has exfiltrated data using FTP.1
mobile T1426 System Information Discovery Corona Updates can collect various pieces of device information, including OS version, phone model, and manufacturer.1
mobile T1422 System Network Configuration Discovery Corona Updates can collect device network configuration information, such as Wi-Fi SSID and IMSI.1


Back to top