S0509 FakeSpy
FakeSpy is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.1
| Item | Value |
|---|---|
| ID | S0509 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 15 September 2020 |
| Last Modified | 06 October 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1432 | Access Contact List | FakeSpy can collect the device’s contact list.1 |
| mobile | T1409 | Access Stored Application Data | FakeSpy can collect account information stored on the device, as well as data in external storage.1 |
| mobile | T1418 | Application Discovery | FakeSpy can collect a list of installed applications.1 |
| mobile | T1402 | Broadcast Receivers | FakeSpy can register for the BOOT_COMPLETED broadcast Intent.1 |
| mobile | T1412 | Capture SMS Messages | FakeSpy can collect SMS messages.1 |
| mobile | T1476 | Deliver Malicious App via Other Means | FakeSpy is spread via direct download links in SMS phishing messages.1 |
| mobile | T1523 | Evade Analysis Environment | FakeSpy can detect if it is running in an emulator and adjust its behavior accordingly.1 |
| mobile | T1444 | Masquerade as Legitimate Application | FakeSpy masquerades as local postal service applications.1 |
| mobile | T1507 | Network Information Discovery | FakeSpy can collect the device’s network information.1 |
| mobile | T1406 | Obfuscated Files or Information | FakeSpy stores its malicious code in encrypted asset files that are decrypted at runtime. Newer versions of FakeSpy encrypt the C2 address.1 |
| mobile | T1582 | SMS Control | FakeSpy can send SMS messages.1 |
| mobile | T1437 | Standard Application Layer Protocol | FakeSpy exfiltrates data using HTTP requests.1 |
| mobile | T1508 | Suppress Application Icon | FakeSpy can hide its icon if it detects that it is being run on an emulator.1 |
| mobile | T1426 | System Information Discovery | FakeSpy can collect device information, including OS version and device model.1 |
| mobile | T1422 | System Network Configuration Discovery | FakeSpy can collect device networking information, including phone number, IMEI, and IMSI.1 |