SpyDealer
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1429 | Audio Capture | ||
| Mobile | T1645 | Compromise Client Software Binary |
SpyDealer maintains persistence by installing an Android application package (APK) on the system partition.[1] |
|
| Mobile | T1407 | Download New Code at Runtime |
SpyDealer downloads and executes root exploits from a remote server.[1] |
|
| Mobile | T1624 | .001 | Event Triggered Execution: Broadcast Receivers |
SpyDealer registers the broadcast receiver to listen for events related to device boot-up.[1] |
| Mobile | T1404 | Exploitation for Privilege Escalation |
SpyDealer uses the commercial rooting app Baidu Easy Root to gain root privilege and maintain persistence on the victim.[1] |
|
| Mobile | T1430 | Location Tracking | ||
| Mobile | T1644 | Out of Band Data |
SpyDealer enables remote control of the victim through SMS channels.[1] |
|
| Mobile | T1636 | .002 | Protected User Data: Call Log | |
| .003 | Protected User Data: Contact List | |||
| .004 | Protected User Data: SMS Messages | |||
| Mobile | T1513 | Screen Capture |
SpyDealer abuses Accessibility features to steal messages from popular apps such as WeChat, Skype, Viber, and QQ.[1] |
|
| Mobile | T1409 | Stored Application Data |
SpyDealer exfiltrates data from over 40 apps such as WeChat, Facebook, WhatsApp, Skype, and others.[1] |
|
| Mobile | T1422 | System Network Configuration Discovery |
SpyDealer harvests the device phone number, IMEI, and IMSI.[1] |
|
| Mobile | T1512 | Video Capture |
SpyDealer can record video and take photos via front and rear cameras.[1] |
|