SpyDealer is Android malware that exfiltrates sensitive data from Android devices. [1]

ID: S0324
Platforms: Android
Version: 1.2
Created: 17 October 2018
Last Modified: 24 October 2022

Techniques Used

Domain ID Name Use
Mobile T1429 Audio Capture

SpyDealer can record phone calls and surrounding audio.[1]

Mobile T1645 Compromise Client Software Binary

SpyDealer maintains persistence by installing an Android application package (APK) on the system partition.[1]

Mobile T1407 Download New Code at Runtime

SpyDealer downloads and executes root exploits from a remote server.[1]

Mobile T1624 .001 Event Triggered Execution: Broadcast Receivers

SpyDealer registers the broadcast receiver to listen for events related to device boot-up.[1]

Mobile T1404 Exploitation for Privilege Escalation

SpyDealer uses the commercial rooting app Baidu Easy Root to gain root privilege and maintain persistence on the victim.[1]

Mobile T1430 Location Tracking

SpyDealer harvests location data from victims.[1]

Mobile T1644 Out of Band Data

SpyDealer enables remote control of the victim through SMS channels.[1]

Mobile T1636 .002 Protected User Data: Call Log

SpyDealer harvests phone call history from victims.[1]

.003 Protected User Data: Contact List

SpyDealer harvests contact lists from victims.[1]

.004 Protected User Data: SMS Messages

SpyDealer harvests SMS and MMS messages from victims.[1]

Mobile T1513 Screen Capture

SpyDealer abuses Accessibility features to steal messages from popular apps such as WeChat, Skype, Viber, and QQ.[1]

Mobile T1409 Stored Application Data

SpyDealer exfiltrates data from over 40 apps such as WeChat, Facebook, WhatsApp, Skype, and others.[1]

Mobile T1422 System Network Configuration Discovery

SpyDealer harvests the device phone number, IMEI, and IMSI.[1]

Mobile T1512 Video Capture

SpyDealer can record video and take photos via front and rear cameras.[1]