SpyDealer
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1433 | Access Call Log | ||
| Mobile | T1432 | Access Contact List | ||
| Mobile | T1409 | Access Stored Application Data |
SpyDealer exfiltrates data from over 40 apps such as WeChat, Facebook, WhatsApp, Skype, and others.[1] |
|
| Mobile | T1438 | Alternate Network Mediums |
SpyDealer enables remote control of the victim through SMS channels.[1] |
|
| Mobile | T1402 | Broadcast Receivers |
SpyDealer registers the broadcast receiver to listen for events related to device boot-up.[1] |
|
| Mobile | T1429 | Capture Audio | ||
| Mobile | T1512 | Capture Camera |
SpyDealer can record video and take photos via front and rear cameras.[1] |
|
| Mobile | T1412 | Capture SMS Messages | ||
| Mobile | T1407 | Download New Code at Runtime |
SpyDealer downloads and executes root exploits from a remote server.[1] |
|
| Mobile | T1404 | Exploit OS Vulnerability |
SpyDealer uses the commercial rooting app Baidu Easy Root to gain root privilege and maintain persistence on the victim.[1] |
|
| Mobile | T1430 | Location Tracking | ||
| Mobile | T1400 | Modify System Partition |
SpyDealer maintains persistence by installing an Android application package (APK) on the system partition.[1] |
|
| Mobile | T1513 | Screen Capture |
SpyDealer abuses Accessibility features to steal messages from popular apps such as WeChat, Skype, Viber, and QQ.[1] |
|
| Mobile | T1422 | System Network Configuration Discovery |
SpyDealer harvests the device phone number, IMEI, and IMSI.[1] |
|