S1214 Android/SpyAgent
Android/SpyAgent is a variant of spyware in the MoqHao phishing campaign primarily targeting Korean and Japanese users.1 Fake security applications were used to target Japanese users, while fake police applications were used to target Korean users. Both fake applications have common C2 commands and share the same crash report key on a cloud service.1
| Item | Value |
|---|---|
| ID | S1214 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 24 March 2025 |
| Last Modified | 27 March 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1616 | Call Control | Android/SpyAgent can execute an automated phone call.1 |
| mobile | T1629 | Impair Defenses | - |
| mobile | T1629.003 | Disable or Modify Tools | Android/SpyAgent has attempted to detect anti-spam call applications.1 |
| mobile | T1655 | Masquerading | - |
| mobile | T1655.001 | Match Legitimate Name or Location | Android/SpyAgent has used the official icon of the Korean police application and the package name “kpo,” which contain references related to the Korean police.1 |
| mobile | T1406 | Obfuscated Files or Information | Android/SpyAgent has used the Tencent packer to hide its malicious payload.1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.004 | SMS Messages | Android/SpyAgent has exfiltrated SMS and MMS messages.1 |
| mobile | T1422 | System Network Configuration Discovery | Android/SpyAgent has collected device network information, such as the IMEI and the phone number.1 |
| mobile | T1481 | Web Service | Android/SpyAgent’s payload has obtained the C2 address via Twitter accounts.1 |
| mobile | T1481.001 | Dead Drop Resolver | Android/SpyAgent has used the Tencent Push Notification Service to receive commands from the C2 server.1 |