(Lookout) The latest SpyWaller variants are capable of accessing the sensitive data of over 20 different apps, in addition to being able to record calls, capture surrounding audio, track a device's location, take pictures with the camera, and retrieve a list of installed packages. Initial infection is followed by requests to command and control infrastructure for the latest native code component that contains the bulk of SpyWaller's surveillanceware functionality. While we found the native code that is bundled up in the app is somewhat obfuscated, the latest binary served up by attacker infrastructure was not, and contains new code to target Facebook and Google Hangouts. These improvements in capability suggest that the actor behind SpyWaller may be deploying it in campaigns outside of China, where we believe the majority of previous activity to have been conducted.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
Tool: SpyWaller
Names: SpyWaller
Description: (Lookout) The latest SpyWaller variants are capable of accessing the sensitive data of over 20 different apps, in addition to being able to record calls, capture surrounding audio, track a device's location, take pictures with the camera, and retrieve a list of installed packages. Initial infection is followed by requests to command and control infrastructure for the latest native code component that contains the bulk of SpyWaller's surveillanceware functionality. While we found the native code that is bundled up in the app is somewhat obfuscated, the latest binary served up by attacker infrastructure was not, and contains new code to target Facebook and Google Hangouts. These improvements in capability suggest that the actor behind SpyWaller may be deploying it in campaigns outside of China, where we believe the majority of previous activity to have been conducted.
Category: Malware
Type: Reconnaissance, Backdoor, Info stealer, Exfiltration
Information: https://blog.lookout.com/spywaller-mobile-threat
Last-card-change: 2020-07-02
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |