{
	"id": "d23aefc9-3c2d-4da7-98b6-10d812ba958a",
	"created_at": "2026-04-06T00:20:21.272288Z",
	"updated_at": "2026-04-10T03:30:33.283847Z",
	"deleted_at": null,
	"sha1_hash": "2e4c01a8bc06ffe039402d73976621bde3aa1fd4",
	"title": "Android Spyware Targeting Tanzania Premier League | blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2511261,
	"plain_text": "Android Spyware Targeting Tanzania Premier League | blog\r\nBy Shivang Desai\r\nPublished: 2020-07-29 · Archived: 2026-04-05 19:03:08 UTC\r\nThe Zscaler ThreatLabZ team is always hunting for malware out in the wild. Recently, there have been endless\r\ncases where attackers were targeting mobile users with malware leveraging the COVID-19 pandemic. \r\nAmidst all the COVID-related malware activities, we actually came across some Android malware samples that\r\nweren't COVID-19 related. Instead, they were targeting the ongoing Tanzania Mainland Premier League football\r\nseason. The Tanzania Mainland Premier League is the top-level professional football (or soccer, as it is most\r\ncommonly known here in the United States) league in Tanzania, Africa.\r\nWe came across some of the Android Packages (APKs) that were targeting two of the most famous football clubs\r\nin Africa, namely Simba SC and Yanga (Young Africans) SC. \r\nFigure 1: Logos for the Tanzania football clubs targeted in a recent scam.\r\nWe also found some legit apps on the Google Play store that are related to these clubs. As seen in Figure 2, the\r\nspyware portrays itself as official apps of the above-mentioned teams.\r\nhttps://www.zscaler.com/blogs/research/android-spyware-targeting-tanzania-premier-league\r\nPage 1 of 5\n\nFigure 2: Real vs. fake logos for Simba SC and Yanga SC.\r\nThese apps are basically spyware, which include the following capabilities: \r\nRead SMS messages\r\nFetch contacts\r\nRecord audio\r\nCalling functionality\r\nAccess real-time location \r\nRead/write external storage \r\nSteal photos \r\nAccess the camera\r\nThese capabilities basically sum up a perfectly developed spyware with full-fledged features to spy on anyone. \r\nhttps://www.zscaler.com/blogs/research/android-spyware-targeting-tanzania-premier-league\r\nPage 2 of 5\n\nUpon further analysis, these APKs turned out to be developed using a popular surveillance tool named SpyMax.\r\nIts predecessor, SpyNote, was one of the most widely used spyware frameworks. In the past, there were instances\r\nwhere SpyNote was notoriously used to victimise Netflix users and a wide range of other Android users. \r\nSpyMax seems to be new favorite among attackers in the underground forums. We found some evidence where\r\nSpyMax has been developed in these underground forums with its main focus on the latest Android compatibility\r\nand antivirus evasion.  \r\nFigure 3: Underground forum discussions about SpyMax.\r\nAs seen in Figure 3, many of the discussions are about trying to make SpyMax samples fully undetectable (FUD)\r\nfrom antivirus scans. \r\nThough SpyMax is free in itself, some developers claim to have developed their own versions that are undetected\r\nby antivirus software and are selling the samples at rates ranging from $45 to $350 per month. The same user in\r\nFigure 3 posted about his or her costs as can be seen in Figure 4.\r\nFigure 4: A user discussing the costs of a FUD version of SpyMax.\r\nGetting back to the campaign, we unfortunately could not track back to the command and control (C\u0026C) server,\r\nas it was not active during our analysis. But we were able to get hold of some more samples that were designed by\r\nhttps://www.zscaler.com/blogs/research/android-spyware-targeting-tanzania-premier-league\r\nPage 3 of 5\n\nthe same attacker or group of attackers. (Hashes can be found in IOC section at the end of this blog.)\r\nOne such sample developed by the attacker using SpyMax was a live streaming app that claimed to stream live\r\nfootball matches from the Tanzania Premier League. The main purpose behind this is likely to reach a wide range\r\nof football fans and attack their devices. The icons of the app can be seen in Figure 5 (Live Stream is the first from\r\nthe left).\r\n \r\nFig 5: Fake (Spyware) apps\r\nAll these apps behave in exact same way. As soon as the victim tries to open the app, it crashes with message\r\nsaying \"App is not installed\" before suddenly hiding the icon. This activity makes victim believe that the app\r\nmight be faulty and got removed implicitly from mobile device. But in reality, the app hides itself from the victim\r\nand plays it's hideous activities of spying on the  user and sending all the stolen data back to the attacker. \r\nConclusion\r\nNowadays, developing high-end surveillance apps (also termed spyware or stalkerware) is as easy as developing a\r\nbasic Android app with the help of tools, such as SpyMax. Even a novice can develop spyware and attack large\r\nnumber of public. As seen in this case, the attacker used SpyMax to target Android users interested in an ongoing\r\nhttps://www.zscaler.com/blogs/research/android-spyware-targeting-tanzania-premier-league\r\nPage 4 of 5\n\nfootball season. From a user point of view, it's always advisable to take utmost care when online, especially in\r\ntimes when work-from-home has become the norm.\r\nThe precautions you take online have been covered extensively; even so, we believe this information bears\r\nrepeating. Please follow these basic precautions during the current crisis—and at all times: \r\nInstall apps only from official stores, such as Google Play.\r\nNever click on unknown links received through ads, SMS messages, emails, or the like.\r\nAlways keep the \"Unknown Sources\" option disabled in the Android device. This disallows apps to be\r\ninstalled on your device from unknown sources. \r\nWe would also like to mention that if you come across the incident of app hiding it's icon as seen in case above,\r\nalways try to search for the app in your device settings. (Settings -\u003e Apps -\u003e  Search for icon that was hidden) \r\nIOCs\r\nHash Package Name\r\naa67921f19809edc87f1f79237e123e9c5c67019 com.yanga.yanga\r\n2ed2d804754d83aa5de32c27b4ca767d959bf3e8 com.yellowfans.yanga\r\nbea206cf83eea30bf5d0734d94764796d956c4f5 com.livestream.livestream\r\n1cc01da09849e17f83940d9250318d248f7ab77d com.simba.simba\r\n4c7a41d7b0a225f0fa61fe7dc18695e03c2690c8 com.yellowfans.yanga\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/research/android-spyware-targeting-tanzania-premier-league\r\nhttps://www.zscaler.com/blogs/research/android-spyware-targeting-tanzania-premier-league\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/research/android-spyware-targeting-tanzania-premier-league"
	],
	"report_names": [
		"android-spyware-targeting-tanzania-premier-league"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434821,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2e4c01a8bc06ffe039402d73976621bde3aa1fd4.pdf",
		"text": "https://archive.orkl.eu/2e4c01a8bc06ffe039402d73976621bde3aa1fd4.txt",
		"img": "https://archive.orkl.eu/2e4c01a8bc06ffe039402d73976621bde3aa1fd4.jpg"
	}
}