S0509 FakeSpy
FakeSpy is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.1
| Item | Value |
|---|---|
| ID | S0509 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 15 September 2020 |
| Last Modified | 06 October 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1437 | Application Layer Protocol | - |
| mobile | T1437.001 | Web Protocols | FakeSpy exfiltrates data using HTTP requests.1 |
| mobile | T1624 | Event Triggered Execution | - |
| mobile | T1624.001 | Broadcast Receivers | FakeSpy can register for the BOOT_COMPLETED broadcast Intent.1 |
| mobile | T1628 | Hide Artifacts | - |
| mobile | T1628.001 | Suppress Application Icon | FakeSpy can hide its icon if it detects that it is being run on an emulator.1 |
| mobile | T1406 | Obfuscated Files or Information | FakeSpy stores its malicious code in encrypted asset files that are decrypted at runtime. Newer versions of FakeSpy encrypt the C2 address.1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.003 | Contact List | FakeSpy can collect the device’s contact list.1 |
| mobile | T1636.004 | SMS Messages | FakeSpy can collect SMS messages.1 |
| mobile | T1582 | SMS Control | FakeSpy can send SMS messages.1 |
| mobile | T1418 | Software Discovery | FakeSpy can collect a list of installed applications.1 |
| mobile | T1409 | Stored Application Data | FakeSpy can collect account information stored on the device, as well as data in external storage.1 |
| mobile | T1426 | System Information Discovery | FakeSpy can collect device information, including OS version and device model.1 |
| mobile | T1422 | System Network Configuration Discovery | FakeSpy can collect device networking information, including phone number, IMEI, and IMSI.1 |
| mobile | T1421 | System Network Connections Discovery | FakeSpy can collect the device’s network information.1 |
| mobile | T1633 | Virtualization/Sandbox Evasion | - |
| mobile | T1633.001 | System Checks | FakeSpy can detect if it is running in an emulator and adjust its behavior accordingly.1 |