FakeSpy is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.[1]

ID: S0509
Platforms: Android
Contributors: Ofir Almkias, Cybereason
Version: 1.0
Created: 15 September 2020
Last Modified: 06 October 2020

Techniques Used

Domain ID Name Use
Mobile T1432 Access Contact List

FakeSpy can collect the device’s contact list.[1]

Mobile T1409 Access Stored Application Data

FakeSpy can collect account information stored on the device, as well as data in external storage.[1]

Mobile T1418 Application Discovery

FakeSpy can collect a list of installed applications.[1]

Mobile T1402 Broadcast Receivers

FakeSpy can register for the BOOT_COMPLETED broadcast Intent.[1]

Mobile T1412 Capture SMS Messages

FakeSpy can collect SMS messages.[1]

Mobile T1476 Deliver Malicious App via Other Means

FakeSpy is spread via direct download links in SMS phishing messages.[1]

Mobile T1523 Evade Analysis Environment

FakeSpy can detect if it is running in an emulator and adjust its behavior accordingly.[1]

Mobile T1444 Masquerade as Legitimate Application

FakeSpy masquerades as local postal service applications.[1]

Mobile T1507 Network Information Discovery

FakeSpy can collect the device’s network information.[1]

Mobile T1406 Obfuscated Files or Information

FakeSpy stores its malicious code in encrypted asset files that are decrypted at runtime. Newer versions of FakeSpy encrypt the C2 address.[1]

Mobile T1582 SMS Control

FakeSpy can send SMS messages.[1]

Mobile T1437 Standard Application Layer Protocol

FakeSpy exfiltrates data using HTTP requests.[1]

Mobile T1508 Suppress Application Icon

FakeSpy can hide its icon if it detects that it is being run on an emulator.[1]

Mobile T1426 System Information Discovery

FakeSpy can collect device information, including OS version and device model.[1]

Mobile T1422 System Network Configuration Discovery

FakeSpy can collect device networking information, including phone number, IMEI, and IMSI.[1]