Skip to content

S1079 BOULDSPY

BOULDSPY is an Android malware, detected in early 2023, with surveillance and remote-control capabilities. Analysis of exfiltrated C2 data suggests that BOULDSPY primarily targeted minority groups in Iran.1

Item Value
ID S1079
Associated Names
Type MALWARE
Version 1.0
Created 21 July 2023
Last Modified 20 October 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols BOULDSPY uses unencrypted HTTP traffic between the victim and C2 infrastructure.1
mobile T1532 Archive Collected Data BOULDSPY can encrypt its data before exfiltration.1
mobile T1429 Audio Capture BOULDSPY can access a device’s microphone to record audio, as well as cell and VoIP application calls.1
mobile T1398 Boot or Logon Initialization Scripts BOULDSPY can exfiltrate data when the user boots the app, or on device boot.1
mobile T1414 Clipboard Data BOULDSPY can collect clipboard data.1
mobile T1577 Compromise Application Executable BOULDSPY can inject malicious packages into applications already existing on an infected device.1
mobile T1533 Data from Local System BOULDSPY can access browser history and bookmarks, and can list all files and folders on the device.1
mobile T1407 Download New Code at Runtime BOULDSPY can download and run code obtained from the C2.1
mobile T1624 Event Triggered Execution BOULDSPY uses a background service that can restart itself when the parent activity is stopped.1
mobile T1646 Exfiltration Over C2 Channel BOULDSPY has exfiltrated cached data from infected devices.1
mobile T1417 Input Capture -
mobile T1417.001 Keylogging BOULDSPY can capture keystrokes.1
mobile T1430 Location Tracking BOULDSPY can get a device’s location using GPS or network.1
mobile T1655 Masquerading -
mobile T1655.001 Match Legitimate Name or Location BOULDSPY has been installed using the package name com.android.callservice, pretending to be an Android system service.1
mobile T1644 Out of Band Data BOULDSPY can use SMS to send C2 commands.1
mobile T1636 Protected User Data -
mobile T1636.002 Call Log BOULDSPY can access device call logs.1
mobile T1636.003 Contact List BOULDSPY can exfiltrate a device’s contacts.1
mobile T1636.004 SMS Messages BOULDSPY can exfiltrate SMS logs.1
mobile T1513 Screen Capture BOULDSPY can take and exfiltrate screenshots.1
mobile T1418 Software Discovery BOULDSPY can retrieve the list of installed applications.1
mobile T1409 Stored Application Data BOULDSPY can retrieve account information for third party services, such as Google, Telegram, WeChat, or WhatsApp.1
mobile T1426 System Information Discovery BOULDSPY can collect system information, such as Android version and device identifiers.1
mobile T1422 System Network Configuration Discovery BOULDSPY can collect network information, such as IP address, SIM card information, and Wi-Fi information.1
mobile T1422.001 Internet Connection Discovery BOULDSPY can collect network information, such as IP address, SIM card information, and Wi-Fi information.1
mobile T1422.002 Wi-Fi Discovery BOULDSPY can collect network information, such as IP address, SIM card information, and Wi-Fi information.1
mobile T1512 Video Capture BOULDSPY can take photos using the device cameras.1

References

  1. Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.