FakeSpy
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1432 | Access Contact List | ||
| Mobile | T1409 | Access Stored Application Data |
FakeSpy can collect account information stored on the device, as well as data in external storage.[1] |
|
| Mobile | T1418 | Application Discovery | ||
| Mobile | T1402 | Broadcast Receivers |
FakeSpy can register for the |
|
| Mobile | T1412 | Capture SMS Messages | ||
| Mobile | T1476 | Deliver Malicious App via Other Means |
FakeSpy is spread via direct download links in SMS phishing messages.[1] |
|
| Mobile | T1523 | Evade Analysis Environment |
FakeSpy can detect if it is running in an emulator and adjust its behavior accordingly.[1] |
|
| Mobile | T1444 | Masquerade as Legitimate Application |
FakeSpy masquerades as local postal service applications.[1] |
|
| Mobile | T1507 | Network Information Discovery | ||
| Mobile | T1406 | Obfuscated Files or Information |
FakeSpy stores its malicious code in encrypted asset files that are decrypted at runtime. Newer versions of FakeSpy encrypt the C2 address.[1] |
|
| Mobile | T1582 | SMS Control | ||
| Mobile | T1437 | Standard Application Layer Protocol | ||
| Mobile | T1508 | Suppress Application Icon |
FakeSpy can hide its icon if it detects that it is being run on an emulator.[1] |
|
| Mobile | T1426 | System Information Discovery |
FakeSpy can collect device information, including OS version and device model.[1] |
|
| Mobile | T1422 | System Network Configuration Discovery |
FakeSpy can collect device networking information, including phone number, IMEI, and IMSI.[1] |
|