{
	"id": "2425d63e-ead4-4a30-8c3d-7011e8ac43f6",
	"created_at": "2026-04-06T00:16:12.763965Z",
	"updated_at": "2026-04-10T03:22:01.679715Z",
	"deleted_at": null,
	"sha1_hash": "191efb5ffee88e3c53702ecae748404e555b45ff",
	"title": "Mobile APT (mAPT) SpyWaller May Include Western Targets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3046060,
	"plain_text": "Mobile APT (mAPT) SpyWaller May Include Western Targets\r\nBy Lookout\r\nPublished: 2018-01-10 · Archived: 2026-04-05 13:40:34 UTC\r\nLookout has discovered new variants of the SpyWaller surveillanceware with advanced espionage capabilities.\r\nThe variants now target Facebook Messenger, WhatsApp, and Google Hangouts among others, suggesting they\r\nhttps://blog.lookout.com/spywaller-mobile-threat\r\nPage 1 of 5\n\nare being used against Western targets.\r\nSpyWaller's continual evolution and sophistication indicates an actor with significant resources is behind its\r\ndevelopment. Due to this, and that it appears quite targeted, Lookout considers it an mAPT — an APT that has\r\nevolved to focus on mobile devices. All Lookout customers are protected from this threat.\r\nWhat is SpyWaller\r\nThe SpyWaller family was first discovered in 2014 and came to the attention of security researchers due to its use\r\nof iptables in order to drop network connections made by specific antivirus applications. These early samples were\r\ncapable of retrieving sensitive information from a number of messaging apps and concealed this malicious\r\nfunctionality in encrypted asset files that were loaded during execution. The actors behind SpyWaller have been\r\nbusy evolving their tool, according to our analysis of the samples in the Lookout dataset, most notably by\r\nexpanding the number of apps that it can retrieve data from, and reimplementing all information gathering\r\nfunctionality in native code as opposed to the Java layer.\r\nApplications that the latest versions of SpyWaller targets include AireTalk, BlackBerry Messenger,\r\nCoco, Hi, Google Services Framework, Kakao Talk, KeeChat, Zapya, Line, MiTalk Messenger,\r\nOovoo, QQ, Skype, TalkBox Voice Messenger, Telegram, Viber, Voxer Walkie Talkie Messenger,\r\nWeChat, WhatsApp, Facebook, Google Hangouts, and Wi-Fi credentials. The majority of these apps\r\nare for messaging and communication however others are for file sharing.  \r\nThe latest SpyWaller variants are capable of accessing the sensitive data of over 20 different apps, in addition to\r\nbeing able to record calls, capture surrounding audio, track a device's location, take pictures with the camera, and\r\nretrieve a list of installed packages.\r\nhttps://blog.lookout.com/spywaller-mobile-threat\r\nPage 2 of 5\n\nInitial infection is followed by requests to command and control infrastructure for the latest native code\r\ncomponent that contains the bulk of SpyWaller's surveillanceware functionality. While we found the native code\r\nthat is bundled up in the app is somewhat obfuscated, the latest binary served up by attacker infrastructure was\r\nnot, and contains new code to target Facebook and Google Hangouts. These improvements in capability suggest\r\nthat the actor behind SpyWaller may be deploying it in campaigns outside of China, where we believe the majority\r\nof previous activity to have been conducted.\r\nSpyWaller can attempt to elevate its privileges and most variants have been found to include exploits for local\r\nvulnerabilities. Analysis indicates that attacker infrastructure can also provide additional exploits if necessary. If\r\nSpyWaller is able to elevate its privileges it attempts to establish persistence by copying various files to the\r\n/system/bin/ directory via the dd command. When deobfuscated this full command is:\r\nmount -o remount system /system;dd if=\u003capk data data directory\u003e/files/update of=/system/bin/update;chmod\r\n6777 /system/bin/update;\r\nThe latest versions of SpyWaller primarily communicate on the non-standard port of 5353 to IPs that reside in\r\nChina. The following addresses are associated to recent SpyWaller variants.\r\nThese IPs can be geolocated to within China, visualized in the map above. 4 IPs are concentrated\r\nnear the Xinjiang province in northwest China, 2 to the coordinates near Shandong, and 1 to each\r\nof the remaining highlighted points.  \r\nSHA-1\r\nf8740bb04fa884a65e16c6bfa0a169bc6e80ada3\r\ne479391f1ab93ade71792011f7b5c146d39cfb52\r\nhttps://blog.lookout.com/spywaller-mobile-threat\r\nPage 3 of 5\n\n323868c190dfd57147916ea6cfcd1ab6034d02b6\r\n5a71bfb4625e4f77351563ef1c626f4020946d6c\r\n0d45a20ea6921efc1ec371e076499efb4221d6e8\r\n73d54c9e7a382a37cbeb291ac27b8292dfafa93d\r\n55e7dd8f80f946acf66bd97b2edce712e25fedd5\r\n2bb1f2de60fa18d28b5a39542960d33e03b5b688\r\n17cdb01db464b8b63cb3a74e9e8bd7ddd1dba390\r\n3eddfdc3fd61962c789c581d0f0634e380200bc5\r\nc9e6b17cc5aef4749fc69f6a81a2ab2c99057971\r\n397426e98c080c7f74d0362e538e2fcd2b81e8e7\r\nf101e27d225a7c61444b3fd2b700f8df1f89c2c4\r\n2c3ea07b2600a271868735d31518fb3297945dfa\r\n5c80615b010b261794e14b32a1a2804cc5b04b88\r\nAuthors\r\nMichael Flossman\r\nHead of Threat Intelligence\r\nMichael is Head of Threat Intelligence at Lookout where he works on reverse engineering sophisticated mobile\r\nthreats while tracking their evolution, the campaigns they are used in, and the actors behind them. He has hands-on experience in vulnerability research, incident response, security assessments, pen-testing, reverse engineering\r\nand the prototyping of automated analysis solutions. When not analysing malware there’s a good chance he’s off\r\nsnowboarding, diving, or looking for flaws in popular mobile apps.\r\nhttps://blog.lookout.com/spywaller-mobile-threat\r\nPage 4 of 5\n\nStop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.\r\nSource: https://blog.lookout.com/spywaller-mobile-threat\r\nhttps://blog.lookout.com/spywaller-mobile-threat\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.lookout.com/spywaller-mobile-threat"
	],
	"report_names": [
		"spywaller-mobile-threat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434572,
	"ts_updated_at": 1775791321,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/191efb5ffee88e3c53702ecae748404e555b45ff.pdf",
		"text": "https://archive.orkl.eu/191efb5ffee88e3c53702ecae748404e555b45ff.txt",
		"img": "https://archive.orkl.eu/191efb5ffee88e3c53702ecae748404e555b45ff.jpg"
	}
}