{"description": "Mobile techniques used by Android/SpyAgent, ATT&CK software S1214 (v1.0)", "name": "Android/SpyAgent (S1214)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1616", "comment": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) can execute an automated phone call.(Citation: McAfee MoqHao 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1629", "showSubtechniques": true}, {"techniqueID": "T1629.003", "comment": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) has attempted to detect anti-spam call applications.(Citation: McAfee MoqHao 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1655", "showSubtechniques": true}, {"techniqueID": "T1655.001", "comment": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) has used the official icon of the Korean police application and  the package name \u201ckpo,\u201d which contain references related to the Korean police.(Citation: McAfee MoqHao 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1406", "comment": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) has used the Tencent packer to hide its malicious payload.(Citation: McAfee MoqHao 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) has exfiltrated SMS and MMS messages.(Citation: McAfee MoqHao 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1422", "comment": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) has collected device network information, such as the IMEI and the phone number.(Citation: McAfee MoqHao 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1481", "comment": "[Android/SpyAgent](https://attack.mitre.org/software/S1214)\u2019s payload has obtained the C2 address via Twitter accounts.(Citation: McAfee MoqHao 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1481.001", "comment": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) has used the Tencent Push Notification Service to receive commands from the C2 server.(Citation: McAfee MoqHao 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Android/SpyAgent", "color": "#66b1ff"}]}