{"description": "Mobile techniques used by SpyC23, ATT&CK software S1195 (v1.0)", "name": "SpyC23 (S1195)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1517", "comment": "[SpyC23](https://attack.mitre.org/software/S1195) reads notifications from applications and connected wearables.(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware)(Citation: SentinelLabs AridViper 2023)(Citation: Cyware APT-C-23 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1437", "showSubtechniques": true}, {"techniqueID": "T1437.001", "comment": "[SpyC23](https://attack.mitre.org/software/S1195) can communicate with the Command and Control server using HTTPS and Firebase Cloud Messaging (FCM).(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1429", "comment": "[SpyC23](https://attack.mitre.org/software/S1195) can record phone calls and audio.(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware)(Citation: SentinelLabs AridViper 2023)(Citation: Cyware APT-C-23 2020)(Citation: threatpost AndroidSpyware 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1616", "comment": "[SpyC23](https://attack.mitre.org/software/S1195) can make phone calls.(Citation: welivesecurity_apt-c-23)(Citation: SentinelLabs AridViper 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1533", "comment": "[SpyC23](https://attack.mitre.org/software/S1195) can collect and exfiltrate files with specific extensions, such as .pdf, doc.(Citation: welivesecurity_apt-c-23) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1624", "showSubtechniques": true}, {"techniqueID": "T1624.001", "comment": "[SpyC23](https://attack.mitre.org/software/S1195) listens for the `BOOT_COMPLETED` broadcast to activate malware.(Citation: welivesecurity_apt-c-23) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1628", "showSubtechniques": true}, {"techniqueID": "T1628.001", "comment": "[SpyC23](https://attack.mitre.org/software/S1195) can hide its icon.(Citation: welivesecurity_apt-c-23)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1628.002", "comment": "[SpyC23](https://attack.mitre.org/software/S1195) has used blank screen overlays to hide malicious activity from the user.(Citation: welivesecurity_apt-c-23)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1629", "showSubtechniques": true}, {"techniqueID": "T1629.003", "comment": "[SpyC23](https://attack.mitre.org/software/S1195) has disabled play protect.(Citation: welivesecurity_apt-c-23)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1544", "comment": "[SpyC23](https://attack.mitre.org/software/S1195) can download more malware to the victim device.(Citation: welivesecurity_apt-c-23)(Citation: checkpoint_hamas_android_malware)(Citation: SentinelLabs AridViper 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1430", "comment": "[SpyC23](https://attack.mitre.org/software/S1195) can access the device's location.(Citation: SentinelLabs AridViper 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1655", "showSubtechniques": true}, {"techniqueID": "T1655.001", "comment": "[SpyC23](https://attack.mitre.org/software/S1195) has masqueraded as legitimate messaging applications.(Citation: welivesecurity_apt-c-23)(Citation: checkpoint_hamas_android_malware)(Citation: sophos_android_apt_spyware)(Citation: SentinelLabs AridViper 2023)(Citation: Cyware APT-C-23 2020)(Citation: threatpost AndroidSpyware 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1406", "comment": "[SpyC23](https://attack.mitre.org/software/S1195) has used obfuscation techniques to hide its hardcoded C2 address.(Citation: welivesecurity_apt-c-23)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1644", "comment": "[SpyC23](https://attack.mitre.org/software/S1195) can receive Command and Control commands from SMS messages.(Citation: welivesecurity_apt-c-23)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.002", "comment": "[SpyC23](https://attack.mitre.org/software/S1195) can exfiltrate the call log.(Citation: threatpost AndroidSpyware 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.003", "comment": "[SpyC23](https://attack.mitre.org/software/S1195) can exfiltrate the victim device\u2019s contact list.(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware)(Citation: threatpost AndroidSpyware 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "[SpyC23](https://attack.mitre.org/software/S1195) can read and exfiltrate SMS messages.(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware)(Citation: threatpost AndroidSpyware 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1513", "comment": "[SpyC23](https://attack.mitre.org/software/S1195) can take record and take screenshots of the victim device.(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1582", "comment": "[SpyC23](https://attack.mitre.org/software/S1195) can send SMS messages.(Citation: welivesecurity_apt-c-23)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1512", "comment": "[SpyC23](https://attack.mitre.org/software/S1195) can capture pictures and videos.(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware)(Citation: threatpost AndroidSpyware 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1633", "comment": "[SpyC23](https://attack.mitre.org/software/S1195) has obfuscated code and anti-virtualization techniques to hinder analysis.(Citation: SentinelLabs AridViper 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by SpyC23", "color": "#66b1ff"}]}