GolfSpy is Android spyware deployed by the group Bouncing Golf.[1]

ID: S0421
Platforms: Android
Version: 1.0
Created: 27 January 2020
Last Modified: 26 March 2020

Techniques Used

Domain ID Name Use
Mobile T1433 Access Call Log

GolfSpy can obtain the device’s call log.[1]

Mobile T1432 Access Contact List

GolfSpy can obtain the device’s contact list.[1]

Mobile T1418 Application Discovery

GolfSpy can obtain a list of installed applications.[1]

Mobile T1402 Broadcast Receivers

GolfSpy registers for the USER_PRESENT broadcast intent and uses it as a trigger to take photos with the front-facing camera.[1]

Mobile T1429 Capture Audio

GolfSpy can record audio and phone calls.[1]

Mobile T1512 Capture Camera

GolfSpy can record video.[1]

Mobile T1414 Capture Clipboard Data

GolfSpy can obtain clipboard contents.[1]

Mobile T1412 Capture SMS Messages

GolfSpy can collect SMS messages.[1]

Mobile T1532 Data Encrypted

GolfSpy encrypts data using a simple XOR operation with a pre-configured key prior to exfiltration.[1]

Mobile T1533 Data from Local System

GolfSpy can collect local accounts on the device, pictures, bookmarks/histories of the default browser, and files stored on the SD card. GolfSpy can list image, audio, video, and other files stored on the device. GolfSpy can copy arbitrary files from the device.[1]

Mobile T1447 Delete Device Data

GolfSpy can delete arbitrary files on the device.[1]

Mobile T1476 Deliver Malicious App via Other Means

GolfSpy can install attacker-specified applications.[1]

Mobile T1430 Location Tracking

GolfSpy can track the device’s location.[1]

Mobile T1406 Obfuscated Files or Information

GolfSpy encodes its configurations using a customized algorithm.[1]

Mobile T1424 Process Discovery

GolfSpy can obtain a list of running processes.[1]

Mobile T1513 Screen Capture

GolfSpy can take screenshots.[1]

Mobile T1437 Standard Application Layer Protocol

GolfSpy exfiltrates data using HTTP POST requests.[1]

Mobile T1426 System Information Discovery

GolfSpy can obtain the device’s battery level, network operator, connection information, sensor information, and information about the device’s storage and memory.[1]

Groups That Use This Software

ID Name References
G0097 Bouncing Golf