Register to stream ATT&CKcon 2.0 October 29-30


SpyDealer is Android malware that exfiltrates sensitive data from Android devices. [1]

ID: S0324
Platforms: Android
Version: 1.1

Techniques Used

Domain ID Name Use
Mobile T1453 Abuse Accessibility Features SpyDealer abuses Android Accessibility features to steal messages from popular apps such as WeChat, Skype, Viber, and QQ. [1]
Mobile T1433 Access Call Log SpyDealer harvests phone call history from victims.. [1]
Mobile T1432 Access Contact List SpyDealer harvests contact lists from victims. [1]
Mobile T1409 Access Sensitive Data or Credentials in Files SpyDealer exfiltrates data from over 40 apps such as WeChat, Facebook, WhatsApp, Skype, and others. [1]
Mobile T1438 Alternate Network Mediums SpyDealer enables remote control of the victim through SMS channels. [1]
Mobile T1402 App Auto-Start at Device Boot SpyDealer registers the broadcast receiver to listen for events related to device boot-up. [1]
Mobile T1412 Capture SMS Messages SpyDealer harvests SMS and MMS messages from victims.. [1]
Mobile T1407 Download New Code at Runtime SpyDealer downloads and executes root exploits from a remote server. [1]
Mobile T1404 Exploit OS Vulnerability SpyDealer uses the commercial rooting app Baidu Easy Root to gain root privilege and maintain persistence on the victim. [1]
Mobile T1430 Location Tracking SpyDealer harvests location data from victims.. [1]
Mobile T1429 Microphone or Camera Recordings SpyDealer can record phone calls and surrounding audio and video, as well as take photos via front and rear cameras. [1]
Mobile T1400 Modify System Partition SpyDealer maintains persistence by installing an Android application package (APK) on the system partition. [1]
Mobile T1422 System Network Configuration Discovery SpyDealer harvests phone number IMEI, and IMSI. [1]