Hide Navigation Hide TOC

Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42)

Android/SpyAgent is a variant of spyware in the MoqHao phishing campaign primarily targeting Korean and Japanese users.(Citation: McAfee MoqHao 2019) Fake security applications were used to target Japanese users, while fake police applications were used to target Korean users. Both fake applications have common C2 commands and share the same crash report key on a cloud service.(Citation: McAfee MoqHao 2019)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42)	Malware	Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	1
Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42)	Malware	Dead Drop Resolver - T1481.001 (986f80f7-ff0e-4f48-87bd-0394814bbce5)	Attack Pattern	1
Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42)	Malware	Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a)	Attack Pattern	1
Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42)	Malware	System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	1
Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42)	Malware	Call Control - T1616 (351ddf79-2d3a-41b4-9bef-82ea5d3ccd69)	Attack Pattern	1
Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42)	Malware	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	1
Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42)	Malware	Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380)	Attack Pattern	1
Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42)	Malware	Disable or Modify Tools - T1629.003 (2aa78dfd-cb6f-4c70-9408-137cfd96be49)	Attack Pattern	1
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc)	Attack Pattern	2
Dead Drop Resolver - T1481.001 (986f80f7-ff0e-4f48-87bd-0394814bbce5)	Attack Pattern	Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380)	Attack Pattern	2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	2
Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a)	Attack Pattern	Disable or Modify Tools - T1629.003 (2aa78dfd-cb6f-4c70-9408-137cfd96be49)	Attack Pattern	2