Skip to content

Hide Navigation Hide TOC

Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42)

Android/SpyAgent is a variant of spyware in the MoqHao phishing campaign primarily targeting Korean and Japanese users.(Citation: McAfee MoqHao 2019) Fake security applications were used to target Japanese users, while fake police applications were used to target Korean users. Both fake applications have common C2 commands and share the same crash report key on a cloud service.(Citation: McAfee MoqHao 2019)

Cluster A Galaxy A Cluster B Galaxy B Level
Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a) Attack Pattern Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42) Malware 1
System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd) Attack Pattern Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42) Malware 1
Call Control - T1616 (351ddf79-2d3a-41b4-9bef-82ea5d3ccd69) Attack Pattern Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42) Malware 1
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42) Malware 1
Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380) Attack Pattern Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42) Malware 1
Disable or Modify Tools - T1629.003 (2aa78dfd-cb6f-4c70-9408-137cfd96be49) Attack Pattern Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42) Malware 1
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b) Attack Pattern Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42) Malware 1
Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42) Malware Dead Drop Resolver - T1481.001 (986f80f7-ff0e-4f48-87bd-0394814bbce5) Attack Pattern 1
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern 2
Disable or Modify Tools - T1629.003 (2aa78dfd-cb6f-4c70-9408-137cfd96be49) Attack Pattern Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a) Attack Pattern 2
Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc) Attack Pattern Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b) Attack Pattern 2
Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380) Attack Pattern Dead Drop Resolver - T1481.001 (986f80f7-ff0e-4f48-87bd-0394814bbce5) Attack Pattern 2