SpyDealer is Android malware that exfiltrates sensitive data from Android devices. [1]

ID: S0324
Platforms: Android
Version: 1.2
Created: 17 October 2018
Last Modified: 15 October 2019

Techniques Used

Domain ID Name Use
Mobile T1433 Access Call Log

SpyDealer harvests phone call history from victims.[1]

Mobile T1432 Access Contact List

SpyDealer harvests contact lists from victims.[1]

Mobile T1409 Access Stored Application Data

SpyDealer exfiltrates data from over 40 apps such as WeChat, Facebook, WhatsApp, Skype, and others.[1]

Mobile T1438 Alternate Network Mediums

SpyDealer enables remote control of the victim through SMS channels.[1]

Mobile T1402 Broadcast Receivers

SpyDealer registers the broadcast receiver to listen for events related to device boot-up.[1]

Mobile T1429 Capture Audio

SpyDealer can record phone calls and surrounding audio.[1]

Mobile T1512 Capture Camera

SpyDealer can record video and take photos via front and rear cameras.[1]

Mobile T1412 Capture SMS Messages

SpyDealer harvests SMS and MMS messages from victims.[1]

Mobile T1407 Download New Code at Runtime

SpyDealer downloads and executes root exploits from a remote server.[1]

Mobile T1404 Exploit OS Vulnerability

SpyDealer uses the commercial rooting app Baidu Easy Root to gain root privilege and maintain persistence on the victim.[1]

Mobile T1430 Location Tracking

SpyDealer harvests location data from victims.[1]

Mobile T1400 Modify System Partition

SpyDealer maintains persistence by installing an Android application package (APK) on the system partition.[1]

Mobile T1513 Screen Capture

SpyDealer abuses Accessibility features to steal messages from popular apps such as WeChat, Skype, Viber, and QQ.[1]

Mobile T1422 System Network Configuration Discovery

SpyDealer harvests the device phone number, IMEI, and IMSI.[1]