Skip to content

S0509 FakeSpy

FakeSpy is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.1

Item Value
ID S0509
Associated Names
Version 1.0
Created 15 September 2020
Last Modified 06 October 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1432 Access Contact List FakeSpy can collect the device’s contact list.1
mobile T1409 Access Stored Application Data FakeSpy can collect account information stored on the device, as well as data in external storage.1
mobile T1418 Application Discovery FakeSpy can collect a list of installed applications.1
mobile T1402 Broadcast Receivers FakeSpy can register for the BOOT_COMPLETED broadcast Intent.1
mobile T1412 Capture SMS Messages FakeSpy can collect SMS messages.1
mobile T1476 Deliver Malicious App via Other Means FakeSpy is spread via direct download links in SMS phishing messages.1
mobile T1523 Evade Analysis Environment FakeSpy can detect if it is running in an emulator and adjust its behavior accordingly.1
mobile T1444 Masquerade as Legitimate Application FakeSpy masquerades as local postal service applications.1
mobile T1507 Network Information Discovery FakeSpy can collect the device’s network information.1
mobile T1406 Obfuscated Files or Information FakeSpy stores its malicious code in encrypted asset files that are decrypted at runtime. Newer versions of FakeSpy encrypt the C2 address.1
mobile T1582 SMS Control FakeSpy can send SMS messages.1
mobile T1437 Standard Application Layer Protocol FakeSpy exfiltrates data using HTTP requests.1
mobile T1508 Suppress Application Icon FakeSpy can hide its icon if it detects that it is being run on an emulator.1
mobile T1426 System Information Discovery FakeSpy can collect device information, including OS version and device model.1
mobile T1422 System Network Configuration Discovery FakeSpy can collect device networking information, including phone number, IMEI, and IMSI.1


Back to top