Skip to content

Hide Navigation Hide TOC

Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42)

Android/SpyAgent is a variant of spyware in the MoqHao phishing campaign primarily targeting Korean and Japanese users.(Citation: McAfee MoqHao 2019) Fake security applications were used to target Japanese users, while fake police applications were used to target Korean users. Both fake applications have common C2 commands and share the same crash report key on a cloud service.(Citation: McAfee MoqHao 2019)

Cluster A Galaxy A Cluster B Galaxy B Level
Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42) Malware Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380) Attack Pattern 1
Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42) Malware Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a) Attack Pattern 1
Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42) Malware System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd) Attack Pattern 1
Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42) Malware SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern 1
Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42) Malware Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b) Attack Pattern 1
Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42) Malware Disable or Modify Tools - T1629.003 (2aa78dfd-cb6f-4c70-9408-137cfd96be49) Attack Pattern 1
Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42) Malware Call Control - T1616 (351ddf79-2d3a-41b4-9bef-82ea5d3ccd69) Attack Pattern 1
Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42) Malware Dead Drop Resolver - T1481.001 (986f80f7-ff0e-4f48-87bd-0394814bbce5) Attack Pattern 1
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern 2
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b) Attack Pattern Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc) Attack Pattern 2
Disable or Modify Tools - T1629.003 (2aa78dfd-cb6f-4c70-9408-137cfd96be49) Attack Pattern Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a) Attack Pattern 2
Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380) Attack Pattern Dead Drop Resolver - T1481.001 (986f80f7-ff0e-4f48-87bd-0394814bbce5) Attack Pattern 2