FlexiSpy is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.[1][2]

FlexiSpy markets itself as a parental control and employee monitoring application.[3]

ID: S0408
Type: TOOL
Platforms: Android
Contributors: Emily Ratliff, IBM
Version: 1.0
Created: 04 September 2019
Last Modified: 14 October 2019

Techniques Used

Domain ID Name Use
Mobile T1429 Audio Capture

FlexiSpy can record both incoming and outgoing phone calls, as well as microphone audio.[2]

Mobile T1533 Data from Local System

FlexiSpy can monitor device photos and can also access browser history and bookmarks.[4]

Mobile T1624 .001 Event Triggered Execution: Broadcast Receivers

FlexiSpy uses root access to establish reboot hooks to re-install the application from /data/misc/adn.[1] At boot, FlexiSpy spawns daemons for process monitoring, call monitoring, call managing, and system.[1]

Mobile T1628 .001 Hide Artifacts: Suppress Application Icon

FlexiSpy is capable of hiding SuperSU's icon if it is installed and visible.[1] FlexiSpy can also hide its own icon to make detection and the uninstallation process more difficult.[4]

Mobile T1625 .001 Hijack Execution Flow: System Runtime API Hijacking

FlexiSpy installs boot hooks into /system/su.d.[1]

Mobile T1630 .002 Indicator Removal on Host: File Deletion

FlexiSpy can delete data from a compromised device.[2]

Mobile T1417 .001 Input Capture: Keylogging

FlexiSpy can record keystrokes and analyze them for keywords.[4]

Mobile T1430 Location Tracking

FlexiSpy can track the device's location.[2]

Mobile T1509 Non-Standard Port

FlexiSpy can communicate with the command and control server over ports 12512 and 12514.[1]

Mobile T1406 Obfuscated Files or Information

FlexiSpy encrypts its configuration file using AES.[1]

Mobile T1636 .001 Protected User Data: Calendar Entries

FlexiSpy can collect the device calendars.[2]

.003 Protected User Data: Contact List

FlexiSpy can collect device contacts.[2]

.004 Protected User Data: SMS Messages

FlexiSpy can intercept SMS and MMS messages as well as monitor messages for keywords.[2][4]

Mobile T1513 Screen Capture

FlexiSpy can take screenshots of other applications.[4]

Mobile T1418 Software Discovery

FlexiSpy can retrieve a list of installed applications.[4]

Mobile T1409 Stored Application Data

FlexiSpy uses a FileObserver object to monitor the Skype and WeChat database file and shared preferences to retrieve chat messages, account information, and profile pictures of the account owner and chat participants. FlexiSpy can also spy on popular applications, including Facebook, Hangouts, Hike, Instagram, Kik, Line, QQ, Snapchat, Telegram, Tinder, Viber, and WhatsApp.[1]

Mobile T1421 System Network Connections Discovery

FlexiSpy can collect a list of known Wi-Fi access points.[4]

Mobile T1512 Video Capture

FlexiSpy can record video.[2]