Skip to content

Hide Navigation Hide TOC

Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42)

Android/SpyAgent is a variant of spyware in the MoqHao phishing campaign primarily targeting Korean and Japanese users.(Citation: McAfee MoqHao 2019) Fake security applications were used to target Japanese users, while fake police applications were used to target Korean users. Both fake applications have common C2 commands and share the same crash report key on a cloud service.(Citation: McAfee MoqHao 2019)

Cluster A Galaxy A Cluster B Galaxy B Level
Disable or Modify Tools - T1629.003 (2aa78dfd-cb6f-4c70-9408-137cfd96be49) Attack Pattern Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42) Malware 1
Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a) Attack Pattern Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42) Malware 1
Call Control - T1616 (351ddf79-2d3a-41b4-9bef-82ea5d3ccd69) Attack Pattern Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42) Malware 1
Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380) Attack Pattern Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42) Malware 1
System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd) Attack Pattern Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42) Malware 1
Dead Drop Resolver - T1481.001 (986f80f7-ff0e-4f48-87bd-0394814bbce5) Attack Pattern Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42) Malware 1
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b) Attack Pattern Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42) Malware 1
Android/SpyAgent - S1214 (f082d7dd-20a9-4157-93c0-75e7aea09e42) Malware SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern 1
Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a) Attack Pattern Disable or Modify Tools - T1629.003 (2aa78dfd-cb6f-4c70-9408-137cfd96be49) Attack Pattern 2
Dead Drop Resolver - T1481.001 (986f80f7-ff0e-4f48-87bd-0394814bbce5) Attack Pattern Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380) Attack Pattern 2
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b) Attack Pattern Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc) Attack Pattern 2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern 2