Skip to content

S0509 FakeSpy

FakeSpy is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.1

Item Value
ID S0509
Associated Names
Version 1.0
Created 15 September 2020
Last Modified 06 October 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols FakeSpy exfiltrates data using HTTP requests.1
mobile T1624 Event Triggered Execution -
mobile T1624.001 Broadcast Receivers FakeSpy can register for the BOOT_COMPLETED broadcast Intent.1
mobile T1628 Hide Artifacts -
mobile T1628.001 Suppress Application Icon FakeSpy can hide its icon if it detects that it is being run on an emulator.1
mobile T1406 Obfuscated Files or Information FakeSpy stores its malicious code in encrypted asset files that are decrypted at runtime. Newer versions of FakeSpy encrypt the C2 address.1
mobile T1636 Protected User Data -
mobile T1636.003 Contact List FakeSpy can collect the device’s contact list.1
mobile T1636.004 SMS Messages FakeSpy can collect SMS messages.1
mobile T1582 SMS Control FakeSpy can send SMS messages.1
mobile T1418 Software Discovery FakeSpy can collect a list of installed applications.1
mobile T1409 Stored Application Data FakeSpy can collect account information stored on the device, as well as data in external storage.1
mobile T1426 System Information Discovery FakeSpy can collect device information, including OS version and device model.1
mobile T1422 System Network Configuration Discovery FakeSpy can collect device networking information, including phone number, IMEI, and IMSI.1
mobile T1421 System Network Connections Discovery FakeSpy can collect the device’s network information.1
mobile T1633 Virtualization/Sandbox Evasion -
mobile T1633.001 System Checks FakeSpy can detect if it is running in an emulator and adjust its behavior accordingly.1