ATT&CK v16 has been released! Check out the blog post for more information.

GolfSpy

GolfSpy is Android spyware deployed by the group Bouncing Golf.^[1]

ID: S0421

ⓘ

Type: MALWARE

ⓘ

Platforms: Android

Version: 1.0

Created: 27 January 2020

Last Modified: 26 March 2020

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Mobile	T1532		Archive Collected Data	GolfSpy encrypts data using a simple XOR operation with a pre-configured key prior to exfiltration.^[1]
Mobile	T1429		Audio Capture	GolfSpy can record audio and phone calls.^[1]
Mobile	T1414		Clipboard Data	GolfSpy can obtain clipboard contents.^[1]
Mobile	T1533		Data from Local System	GolfSpy can collect local accounts on the device, pictures, bookmarks/histories of the default browser, and files stored on the SD card. GolfSpy can list image, audio, video, and other files stored on the device. GolfSpy can copy arbitrary files from the device.^[1]
Mobile	T1624	.001	Event Triggered Execution: Broadcast Receivers	GolfSpy registers for the `USER_PRESENT` broadcast intent and uses it as a trigger to take photos with the front-facing camera.^[1]
Mobile	T1646		Exfiltration Over C2 Channel	GolfSpy exfiltrates data using HTTP POST requests.^[1]
Mobile	T1630	.002	Indicator Removal on Host: File Deletion	GolfSpy can delete arbitrary files on the device.^[1]
Mobile	T1430		Location Tracking	GolfSpy can track the device’s location.^[1]
Mobile	T1406		Obfuscated Files or Information	GolfSpy encodes its configurations using a customized algorithm.^[1]
Mobile	T1424		Process Discovery	GolfSpy can obtain a list of running processes.^[1]
Mobile	T1636	.002	Protected User Data: Call Log	GolfSpy can obtain the device’s call log.^[1]
		.003	Protected User Data: Contact List	GolfSpy can obtain the device’s contact list.^[1]
		.004	Protected User Data: SMS Messages	GolfSpy can collect SMS messages.^[1]
Mobile	T1513		Screen Capture	GolfSpy can take screenshots.^[1]
Mobile	T1418		Software Discovery	GolfSpy can obtain a list of installed applications.^[1]
Mobile	T1426		System Information Discovery	GolfSpy can obtain the device’s battery level, network operator, connection information, sensor information, and information about the device’s storage and memory.^[1]
Mobile	T1512		Video Capture	GolfSpy can record video.^[1]

Groups That Use This Software

ID	Name	References
G0097	Bouncing Golf	^[1]

References

E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.