{
	"id": "3c039cfc-7c31-4bb9-8733-9b7377c1f4b9",
	"created_at": "2026-04-06T00:06:20.811947Z",
	"updated_at": "2026-04-10T13:12:58.224381Z",
	"deleted_at": null,
	"sha1_hash": "d1d1e8022f86f79dae4e0fd6daec7a49f02ee70c",
	"title": "SpyDealer: Android Trojan Spying on More Than 40 Apps",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1839729,
	"plain_text": "SpyDealer: Android Trojan Spying on More Than 40 Apps\r\nBy Wenjun Hu, Cong Zheng, Zhi Xu\r\nPublished: 2017-07-06 · Archived: 2026-04-05 21:15:01 UTC\r\nWith the prevalence of Google Android smartphones and the popularity of feature-rich apps, more and more people rely on\r\nsmartphones to store and handle kinds of personal and business information which attracts adversaries who want to steal that\r\ninformation. Recently, Palo Alto Networks researchers discovered an advanced Android malware we’ve named “SpyDealer”\r\nwhich exfiltrates private data from more than 40 apps and steals sensitive messages from communication apps by abusing\r\nthe Android accessibility service feature. SpyDealer uses exploits from a commercial rooting app to gain root privilege,\r\nwhich enables the subsequent data theft.\r\nSpyDealer has many capabilities, including:\r\nExfiltrate private data from more than 40 popular apps including: WeChat, Facebook, WhatsApp, Skype, Line, Viber,\r\nQQ, Tango, Telegram, Sina Weibo, Tencent Weibo, Android Native Browser, Firefox Browser, Oupeng Brower, QQ\r\nMail, NetEase Mail, Taobao, and Baidu Net Disk\r\nAbuses the Android Accessibility Service feature to steal sensitive messages from popular communication and social\r\napps such as WeChat, Skype, Viber, QQ\r\nTakes advantage of the commercial rooting app “Baidu Easy Root” to gain root privilege and maintain persistence on\r\nthe compromised device\r\nHarvests an exhaustive list of personal information including phone number, IMEI, IMSI, SMS, MMS, contacts,\r\naccounts, phone call history, location, and connected Wi-Fi information\r\nAutomatically answer incoming phone calls from a specific number\r\nRemote control of the device via UDP, TCP and SMS channels\r\nSpy on the compromised user by:\r\nRecording the phone call and the surrounding audio \u0026 video.\r\nTaking photos via both the front and rear camera\r\nMonitoring the compromised device’s location\r\nTaking screenshots\r\nThere are multiple factors that mitigate the risk of this threat to most users.\r\nAs far as we know, SpyDealer has not been distributed through the Google Play store\r\nWe do not know exactly how devices are initially infected with SpyDealer, but have seen evidence to suggest\r\nChinese users becoming infected through compromised wireless networks.\r\nWe have reported information on this threat to Google, and they have created protections through Google Play\r\nProtect.\r\nSpyDealer is only completely effective against Android devices running versions between 2.2 and 4.4, as the rooting\r\ntool it uses only supports those versions. This represents approximately 25% of active Android devices worldwide.\r\nOn devices running later versions of Android, it can still steal significant amounts of information, but it cannot take\r\nactions that require higher privileges.\r\nAs of June 2017, we have captured 1046 samples of SpyDealer. Our analysis shows that SpyDealer is currently under active\r\ndevelopment. There are three versions of this malware currently in the wild, 1.9.1, 1.9.2 and 1.9.3. Starting from 1.9.3,\r\ncontent of configuration files and almost all constant strings in the code are encrypted or encoded. An accessibility service\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/\r\nPage 1 of 23\n\nwas also introduced in 1.9.3 to steal targeted apps’ messages. According to our dataset, most of these samples use the app\r\nname “GoogleService” or “GoogleUpdate”. The most recent sample we have observed was created in May, 2017 while the\r\noldest sample dates back to October, 2015, indicating this malware family has been active for over a year and a half. We also\r\nobserved evidence of infected users discussing the malware in October 2015 and February 2016 as shown in Figure 1.\r\nFigure 1 Real infection instances in the wild\r\nDetailed Technical Analysis\r\nService Launching and Configuration\r\nAfter installed on an Android device, SpyDealer shows no application icon. However, it registers two broadcast receivers to\r\nlisten for events related to the device booting up and network connection status. Whenever any of these events are\r\nbroadcasted, the key service component AaTService starts. At the first launch, it retrieves configuration information from the\r\nlocal asset file named readme.txt. The first line of this file indicates the IP address of a remote C2 server, the second line\r\nconfigures what actions the malware can take on mobile networks, and the third line specifies what actions are allowed\r\nunder a Wi-Fi network. The configuration settings can also be remotely updated by various C2 channels. One example of the\r\nreadme.txt is given in Figure 2. The full list of the IP addresses for the remote C2 servers is available in Appendix B. A\r\npartial listing of the configurable actions is depicted in Table 1.\r\nFigure 2 Content of the readme.txt\r\nTable 1 Partial Listing of Configurable Actions\r\nNumber Action Number Action\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/\r\nPage 2 of 23\n\n1 Get call history 9 Send recorded audio files\r\n2 Get SMS messages 10 Capture screenshot\r\n3 Record audio 11 List files under a given directory\r\n4 Get GSM location 12 Get GPS location\r\n5 Get contacts 20 Intercept incoming SMS messages\r\n7\r\nGet information and network traffic of installed\r\napps\r\n21\r\nDo not intercept incoming SMS\r\nmessages\r\n8 Get device specific information 82 Get current running apps\r\nRooting and Persistence\r\nSpyDealer uses two different rooting procedures to gain root (superuser) privilege. Samples of version 1.9.1 and 1.9.2 reuse\r\nthe root exploits used by commercial rooting app “Baidu Easy Root”. Rooting applications like this one are created for users\r\nwho want to gain low-level access to their phone which wouldn’t be possible without removing some security protections.\r\nThis is not the first time that Android malware has stolen root exploits from existing commercial rooting tools. Previously in\r\n2015, we saw the Rootnik Android Trojan abuse the “Root Assistant” tool to gain root access.\r\nSpyDealer 1.9.1 and 1.9.2 gain root privilege by abusing “Baidu Easy Root” as detailed below:\r\n1. Drops a customized su file named sux from assets to the app’s own data directory.\r\n2. Checks if the infected device is already rooted or not. If the root privilege is available, there is no need to escalate to\r\nroot privilege.\r\n3. Checks the existence of the file /data/data/\u003cpackage_name\u003e/broot/raw.zip which contains all the rooting exploits. If\r\nthere is no such file, the malware will download it from http[:]//yangxiu2014.0323.utnvg[.]com/apk/raw.zip. The file\r\nintegrity is then inspected by comparing the MD5 value of the downloaded file and the pre-calculated one from\r\nhttp[:]//yangxiu2014.0323.utnvg[.]com/apk/md5.txt.\r\n4. Unzips the downloaded file to the app’s data directory and attempt to gain root privilege by systematically executing\r\nthe exploits one by one.\r\n5. Installs busybox and remounts system partition as read-write by running a sequence of shell commands with\r\nsuperuser permission.\r\nThe downloaded file “raw.zip” contains the exploits from “Baidu Easy Root” version 2.8.3, which is depicted in Figure 4.\r\nTable 2 gives a full list of the exploits stolen by SpyDealer. For example, 022d251cf509c2f0 is an executable binary file\r\nobserved in the “raw.zip”, and the original file in “Baidu Easy Root” is actually in gzip format. It’s interesting that we can\r\nrecover its original file name which is fb_mem_root.\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/\r\nPage 3 of 23\n\nFigure 4 Files in the downloaded raw.zip and Baidu Easy Root v2.8.3\r\nFile Name Original File Name SHA256\r\n022d251cf509c2f0 fb_mem_root d54ab418ba35f7623c45e3ba7fe341be9955f332524a251a886fbe34b1d11af4\r\n23c6b143cd0d6c15 camera_config_exp 7e238f8f1f61dd81f1bebc59717b86769adeca6615f0460fc282d7a0ced1f10d\r\n297e4ba234a39ee6 put_user_opt_exp 3367c0dd8ead724da0c8cd05e8f15a3664ec418bdcdaa2b3721fbc5f7b060f86\r\n460dbcebd7f09800 hw_hisi_exp 7ceb9ec2d02a29bcece226f9e29c9e161594dcb8e40dc853325ac087863d144d\r\n4f2d1af460417f6a boomsh 1b7a7fb6546c28e62506f458ccaff513743f568793a9fe639c2c54c3bcdec07a\r\n54a9d3d68cb16d5a omap_dsp_exp 977dcfc06889d3a4a30d4f2a97a29df812a3cb18fcced894fa2293cbf9f2fb37\r\n5fb437fbf964d7e7 mtk_isp_exp 51b970eef664819f28d5c3ad5c29ecff089d21b6164c6be495956b5002f43c14\r\n621f1ca29529a0ab mtk_fdvt_exp 0ad1a250341839e3d9c5567f79b56aab501ab9e06375f401a74fbfeadd6bd40b\r\n63e31e6275526979 mtk_isp_exp2 22a45ceb1ba9fbf377f89530baf85542d34294cefd3530ca563d148a58ae2f8d\r\n65d21f6fc35ec9f1 camera_root 04e331353b028c87e2804df20bdbea845fb03323d3c7ce9003807ff91925b49b\r\n75ea92243ef5ba08 s3c_video_exp 5fb0de184fc0c95add07727cad833c23888e08229631354571d859d27c4b7b5b\r\n7e1d4da7f8e209fb put_user_exp 0413e5743ef4e3c56bdb22c73c7436544219c2d8bea6f51c1aa24adab7262524\r\n802df67ba2cf7d1b mvl_galcore_exp 8ba1ffc6fe8ce44bb778136dd2c27ccb62a951009769363811ca818a1ee14308\r\n8f28646170a23ff2 exynos_abuse f52a96db49cd8acd6257237bff7b89f1cba755f9fb828ceb12a79a467d2b8405\r\n97145f9a7d58647f s3c_fb_root c9676968ba0b891fbed8db0de8c9dbabb4265e5b7d95705c69c7b925d21f98b3\r\nb19d38ccddca2eff mtk_m4u_exp c464e477daa5f2b8247764497c2f18c8d920bef7bea612f76b25e1477d5436a3\r\nc78eedf55997bf88 futex_cheat_exp 950452471531c89488e28f8e8126d02741efed119c5f1224167fe38a1bf41980\r\ne366af54946d116f mtk_vdec_exp b113ed4edec1cb99fbddca292eb247a773c84f68282cdd09f120ebadcc5c7a60\r\ne45b79e67137d261 dev_mmap_exp e142db432bd6371a6c6eda27143ebbef3efd54f8fbe0ea986fd87d0f8c731681\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/\r\nPage 4 of 23\n\nf2c51886c67482bc common_root_shell fc2b9690b926f4878c717c5a2f986bad0b58f78b7f9b5b4173c4735adb6b00c7\r\nf546e283a9229234 am_jpegdec_exp bcb4c0c6166a9d34a327e157cb12ca4df33d16e98b54ede25b71ed4f7bb7ae5d\r\nSpyDealer 1.9.1, 1.9.2, and 1.9.3 also gain root privilege thought another method that doesn’t use “Baidu Easy Root” as\r\ndetailed below:\r\n1. Drop files including sux, getroot, logo.png and busybox_g1 from assets to the app’s own data directory.\r\n2. Copy files sux, logo.png and busybox_g1 that are dropped in the above step to /data/data/ \u003cpackage_name\u003e/app_bin\r\n3. Generate shell script /data/data/\u003cpackage_name\u003e/app_bin/toor.sh with the content depicted in Figure 5.\r\n4. Execute png and toor.sh to gain root privilege, and these two files are deleted at the end.\r\nFigure 5 Content of toor.sh\r\nReaders should note that this second rooting method only targets Android versions from 4.0 to 4.3 (included). However, the\r\nexploits used in this attack remains unknown to us as none of logo.png, getroot or busybox_g1 exists in the app’s assets.\r\nAfter gaining root privilege, SpyDealer takes steps to maintain persistence on the compromised device. It first drops a native\r\nexecutable file powermanager to its own data directory (Figure 6.) Once executed, powermanager creates a backup the\r\napp’s APK file to /system/bin/update_1.apk. Whenever the app is uninstalled (Figure 7,) the running powermanager will\r\ncopy the APK file from /system/bin/update_1.apk to /system/app/Update.apk, resulting in the Trojan running as a system app\r\n(Figure 8.) After reinstallation, the core SpyDealer service (AaTService) is launched to perform malicious behaviors.\r\nFigure 6 Drop and executes powermanager\r\nFigure 7 Monitor the data directory and reinstall itself once got uninstalled\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/\r\nPage 5 of 23\n\nFigure 8 The malware copies itself to /system/bin/update_1.apk and reinstalls it to /system/app if uninstalled\r\nCommand \u0026 Control\r\nSpyDealer is capable of receiving commands from remote servers via a number of different channels by either actively\r\ninitiating connections to C2 servers or passively receiving instructions from C2 servers. These channels include via SMS,\r\nUDP and TCP connections. This section details how the malware utilizes each of these channels to communicate with the\r\nremote C2 servers.\r\nSMS\r\nSpyDealer registers a broadcast receiver with a higher priority than the default messaging app to listen for the commands via\r\nincoming SMS messages. The commands received through SMS are first decoded for further parsing and processing. Each\r\nSMS command contains a command index and arguments split by a newline. The command index ranges from 1 to 5 and\r\neach command is detailed in Table 3.\r\nTable 3 SMS command list\r\nCommand\r\nIndex\r\nDescription\r\n1 Get geographical location via GSM cell information.\r\n2 Collect the contacts on the device and send back via SMS.\r\n3\r\nGather SMS messages which are created later than a given date in the inbox, outbox and draft box,\r\nand then send back via SMS.\r\n4\r\nExfiltrate call histories that are later than a given date through SMS. The collected information\r\ncontains call duration, phone number and date time.\r\n5\r\nSet the auto reply phone number. The malware will automatically answer the incoming phone call\r\nwhen the number is the same as the set one.\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/\r\nPage 6 of 23\n\nTo get the geographical location based on the GSM cell information, SpyDealer takes advantage of the interface of Baidu\r\nmap service (Figure 9.) It first collects the GSM cell identity, area code and network operator and then posts the encoded\r\ndata to the Baidu map service to retrieve the geographical location. With this tactic, a compromised device’s location is\r\nexposed to the attacker even there is no GPS available.\r\nFigure 9 Utilize the interface of Baidu map service to get geographical location\r\nBesides the commands listed above, SpyDealer can also set the remote server’s IP address under the following two\r\nconditions:\r\nThe length of the command index received in the SMS (Table 3) is larger than 4, then the command index is actually\r\nthe remote server’s IP address\r\nThe incoming SMS message body starts with the string “L112 ” which is followed by the remote server’s IP address\r\nIf SpyDealer receives a command index of 1 or 2, it will not reply when it received an SMS command. However, if it\r\nreceives a command index of 3, 4, or 5, SpyDealer will acknowledge that a command was received by sending back a\r\nspecially formatted SMS response. For example, when received the command 5, it will automatically reply a message in the\r\nformat “msg:repcall|\u003cphone number\u003e”.\r\nAll incoming SMS messages that contain commands will be aborted, which means the user will not be aware of these\r\nmessages. However, other types of SMS messages will also be blocked if the malware is set to do so or the incoming\r\nnumber is in the blocking list.\r\nTCP Server\r\nSpyDealer creates a TCP server on the compromised device listening at port 39568 and waits for incoming commands. The\r\ncommand format and description are listed below in Table 4.\r\nTable 4 Commands via TCP channel\r\nCommand Format Description\r\nimei Send back the device IMEI\r\nmobileinfor Send back device information including IMEI, IMSI and phone number\r\ngettype\\t1 Send back contacts information including contact name and phone number\r\ngettype\\t\\t1 Send back SMS messages in inbox, outbox and draft box\r\ngettype\\t\\t\\t1 Send back call histories including phone call duration, type and date\r\nlistdir\\t\u003cdirectory\u003e\r\nSend back the information of files under a given directory. The information contains file path, file\r\nsize and last modified time.\r\nOver Close the socket connection\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/\r\nPage 7 of 23\n\nThe response data is formatted in the following pattern in bytes:\r\n{0x35, 0x31, 0x64, 0x11, 0x09, \u003clength of data\u003e, 0x09, \u003cdata\u003e}\r\nHowever, there is no authentication mechanism implemented before accepting the incoming commands, which means\r\nanyone can connect to a compromised device and control it as long as one knows the target device’s IP address.\r\nUDP/TCP Client\r\nAside from the TCP server that passively waits for the commands, SpyDealer can also actively connect to the remote server\r\nwith the configured IP address to ask for commands through UDP or TCP. At first launch, the remote server’s IP address is\r\nretrieved from the local asset readme.txt, and the use of UDP or TCP protocols is determined based on another local asset\r\nnamed socket. The list contains around 90 different IP/domains that SpyDealer may use as remote servers. The full list of\r\nIP/domains can be found in Appendix B.\r\nThe command data received by the client is encrypted by the server using Tiny Encryption Algorithm (TEA) Once the client\r\nreceives a command, the malware decrypts the data (Figure 10).  and then parses and processes the command. Through the\r\nUDP/TCP client channel, the attacker can fully control the compromised device with more than 45 different commands\r\nvarying from private data collection, surveillance, and remote code execution.\r\nFigure 10 TEA algorithm used to decrypt incoming command\r\nEach command starts with the command followed by a newline character and the base64 encoded arguments. Table 5 details\r\na full list of commands available through this channel. One interesting command is named SendMsg. Previously, Android\r\nmalware could fake an incoming SMS message by exploit the Smishing vulnerability, which was patched in Android 4.2. To\r\nachieve this effect in newer Android versions, SpyDealer first inserts an SMS message into the inbox and then posts a\r\nnotification indicating an SMS message has arrived. To our knowledge, this is the first malware family that fakes an\r\nincoming SMS message in this way.\r\nCommand Format\r\nCommand\r\nArguments\r\nDescription\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/\r\nPage 8 of 23\n\nlist\\n\\\u003ccmd_id\u003e\\n\u003cmax_count\u003e\r\n\\n\u003cdirectory\u003e\r\ncmd_id: the\r\ncommand index;\r\nmax_count: max\r\nnumber of files to\r\ncollect;\r\ndirectory: target\r\ndirectory\r\nList at most max_count files under the directory\r\nand send back the file name, file size and last\r\nmodified time\r\nsearchdir\\n\u003cfile_suffix\u003e\\t\u003ctime_range\u003e\r\n\\t\u003csize_range\u003e\r\nfile_suffix: suffixes\r\nsplit by “,”,\r\ntime_range: start\r\ntime and end\r\ntime split by “-”,\r\nsize_range:\r\nsmallest and largest\r\nfile size split by “-”\r\nSearch files under external storage and send back\r\nthe information of files that match the given\r\nsuffixes, last modified time and file size\r\nsubloadfile\\n\\\u003cfile_path\u003e\\n\r\n\u003ccmd_id\u003e\\n\u003coffset\u003e\\n\u003clength\u003e\r\nfile_path: the target\r\nfile path;\r\ncmd_id: command\r\nindex;\r\noffset: starting point\r\nof the file to read;\r\nlength: total number\r\nof bytes to be sent\r\nSend back a limited content of specified file\r\nstarting at a given offset\r\nsetsctm\\n\u003ctime\u003e\r\ntime: number of\r\nseconds\r\nSet the screen taken interval time. A screenshot is\r\ntaken every time seconds\r\ngetsctm Query the screen taken interval time\r\nsetmd5filter\\n\u003cfile_md5\u003e\r\nfile_md5: MD5\r\nhash value\r\nSet the MD5 filter which will be used to search\r\nfor a file with the same MD5 value\r\ngetmd5filter Query the set MD5 filter\r\nfilemd5\\n\u003cfile_path\u003e\r\nfile_path: the target\r\nfile path\r\nCollect the file information of the given file_path\r\nincluding MD5, file name, file size and last\r\nmodified time\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/\r\nPage 9 of 23\n\nloadfile\\n\u003cfile_dir_path\u003e\r\nfile_dir_path: the\r\ntarget file or\r\ndirectory path\r\nStore the file or directory path that is ready to be\r\nuploaded\r\nFinishDFile\\n\u003cfile_dir_path\u003e\r\nfile_dir_path: the\r\ntarget file or\r\ndirectory path\r\nStore the file or directory path that is already\r\nuploaded\r\nsysinfo\r\nCollect the compromised device information\r\nincluding phone number, Wi-Fi MAC address,\r\nnetwork operator, screen display metrics, camera\r\ninformation, etc.\r\ngsmlocation\r\nGet the geographical location based on the cell\r\ninformation\r\ngetpackets\r\nCollect the installed apps’ information including\r\napp name, package name, network packets\r\nreceived and transmitted by an app\r\nqueryremoteip\r\nQuery the remote server’s IP address set\r\npreviously\r\ncontact\r\nGet the contact name, phone number and\r\nthumbnail images\r\nhistorycall\r\nSend back the phone call history including the\r\nphone number, contact name, date and phone call\r\nduration\r\ngetsms\r\nRetrieve all the SMS messages in the inbox,\r\noutbox and draft box as well as the MMS\r\nmessages\r\nset3gtrans\\n\u003ctype\u003e\\n\u003cconfig\u003e\r\ntype: indicates the\r\ntype of\r\nconfiguration, Wi-Fi configuration is\r\nset if the value is\r\nwifi, otherwise set\r\nthe 3G\r\nconfiguration\r\nconfig: the\r\nconfiguration\r\ncontent\r\nSet the configuration under Wi-Fi or 3G network\r\nand this configuration controls what actions the\r\nmalware can do\r\ngettransinfo\r\nQuery the configuration set that indicates what\r\nkind of actions are enabled\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/\r\nPage 10 of 23\n\nSetGpstm\\n\u003ctime\u003e\r\ntime: number of\r\nseconds\r\nSet the GPS location obtaining interval time\r\nQueryGpstm Query the interval time to obtain GPS location\r\nsetremoteip\\n\u003cip\u003e\r\nip: IP address of the\r\nremote server\r\nSet the remote C2 server’s IP address\r\nFileConfig\\n\u003cfile_name\u003e\\n\u003caction_type\u003e\r\n\\n\u003cconfig_content\u003e\r\nfile_name: a file is\r\ncreated under the\r\napp’s own data\r\ndirectory with the\r\nfile_name\r\naction_type: if the\r\nvalue is “set”, then\r\nthe config content\r\nwill be stored\r\nconfig_content:\r\nconfiguration\r\ncontent that will be\r\nstored\r\nStore the config_content into the file created under\r\nthe app’s own data directory with the file name\r\nfile_name\r\nsetautophone\\n\u003cphone_num\u003e\r\nphone_num: phone\r\nnumber\r\nSet the phone number and the malware\r\nautomatically answers the incoming phone call if\r\nthe number is the same to the set one\r\ngetautophone\r\nGet the phone number set by the command\r\nsetautophone\r\nsetabroadsms\\n\u003cphone_nums\u003e\r\nphone_nums: phone\r\nnumbers are split by\r\nthe new line\r\ncharacter\r\nSet the SMS message blocking list. The malware\r\nblocks the incoming SMS messages if the phone\r\nnumber is among the blocking list\r\ngetabroadsms\r\nGet a list of the blocking phone number list set by\r\nthe command setabroadsms\r\nsetsocketmode\\n\u003csocket_type\u003e  \r\nSet the communication protocol. The default one\r\nis UDP. If the socket_type is “t”, then the protocol\r\nis changed to TCP\r\nSetBackIp\\n\u003cip\u003e ip: IP address Set the IP address of the backup C2 server\r\nuninstall Uninstall the malware itself\r\nExecCmd\\n\u003ccommand\u003e\r\ncommand: shell\r\ncommand string\r\nExecute the command with root privilege\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/\r\nPage 11 of 23\n\ngetevnaudiostate\r\nCheck the audio recording state which can be\r\nenabled or not\r\nSendMsg\\n\u003caction_type\u003e\\n\u003cphone_num\u003e\r\n\\n\u003ccontent\u003e\\n\u003cdate_time\u003e\r\naction_type: type of\r\nactions\r\nphone_num: phone\r\nnumber\r\ncontent: message\r\nbody\r\ndate_time: date\r\ntime string\r\nIf the value of action_type is “local”, the malware\r\nwill insert a fake SMS message with the\r\nphone_num as source address and content as\r\nmessage body, and an incoming SMS message\r\nnotification is posted. Otherwise, an SMS\r\nmessage with the content will be sent to\r\nphone_num\r\n \r\nGetSControl\\n\r\nGet some configurations such as if need to\r\nconsume battery, test the network connection, etc.\r\nReGetApp\\n\u003cfile_names\u003e\r\nfile_names: file\r\nnames split by\r\ncomma\r\nDelete .db files specified by the file_names one by\r\none. The .db files are under\r\n/data/data/\u003cpackage_name\u003e/files/app/out\r\nGetApp\\n\u003cpackage_names\u003e\r\npackage_names:\r\napp package names\r\nsplit by comma\r\nUpload app’s data files except libs. The target\r\napps are determined by the argument\r\npackage_names\r\nStartRoot Try to execute exploits to gain root privilege\r\ncamvideo\\n\u003ccamera_type\u003e\\n\u003cduration\u003e\r\ncamera_type: front\r\nor rear camera\r\nduration: duration\r\ntime for each video\r\nto be recorded\r\nSet the configuration for video recording. Use rear\r\ncamera if camera_type is “back”, otherwise, the\r\nfront camera is used to record a video. The\r\nduration argument specifies the duration of the\r\nvideo.\r\ncampic\\n\u003ccamera_type\u003e\r\ncamera_type: front\r\nor rear camera\r\nDetermine to use which camera to take a picture.\r\nThe rear camera is used if camera_type is “back”.\r\nGetPhoneNum\\n\u003cphone_num\u003e\r\nphone_num: phone\r\nnumber\r\nSend the GSM location of the compromised\r\ndevice along with the remote server’s IP to the\r\ngiven phone number via SMS\r\nDeleteFile\\n\u003cfile_path\u003e\r\nfile_path: an\r\nabsolute path of a\r\nfile or folder\r\nDelete a file or folder under the malware’s own\r\ndata directory.\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/\r\nPage 12 of 23\n\nSControl\\n\u003ccmd_type\u003e\r\n\\n\u003ccmd_argumetns\u003e\r\ncmd_type: numbers\r\nthat indicate what\r\ntype of commands\r\nshould be executed\r\ncmd_arguments:\r\ncommand\r\narguments\r\nExecute kinds of commands, for example, delete\r\nfiles, get Wi-Fi connection information, consumes\r\nbattery, etc. All commands are detailed later in\r\nTable 6\r\nTable 5 Commands through UDP/TCP Client\r\nFor the command type SControl, there are some sub commands determined by the cmd_type field, which is an integer\r\nnumber ranging from 0 to 10. All the sub-commands are detailed in Table 6.\r\nSub\r\nCommand\r\nType\r\nCommand Arguments Description\r\n0\r\nExecute rm commands including “rm -r /system/app/”, “rm -r\r\n/data/app/”, “rm -r /system/bin/”, “rm -r /system/xbin/” with root\r\nprivilege\r\n1\r\napp package names split by\r\ncomma\r\nRemove apps’ data directory by executing the command “rm –r\r\n/data/data/\u003cpackage name\u003e” with root privilege\r\n2 a string ends with “start”\r\nContinuously consumes the compromised device’s resource by doing\r\nfloating multiplication and division\r\n3 file suffixes split by comma\r\nDelete all the files on the external storage that match the given file\r\nsuffixes\r\n4 Enable the airplane mode on a device with the Android version \u003c 18\r\n5 a string ends with “start”\r\nTest the network connection by sending a HTTP request to\r\n“http://www.163.com/”\r\n6 file path\r\nDelete a file specified by the given file path. A file may be not\r\nremovable because of the permission. With this in mind, SpyDealer\r\nfirst tries to delete the file via Java API File.delete, and then executes\r\nthe “rm” command with root privilege\r\n8\r\nCollect the current connected Wi-Fi information as well as the history\r\nones. The information contains BSSID, SSID, MAC address, network\r\nid, key management and password\r\n9 a string ends with “start”\r\nContinuously drain the compromised device’s power by doing floating\r\ndivision\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/\r\nPage 13 of 23\n\n10\r\nGet the compromised device’s system information including IMEI,\r\nIMSI, Wi-Fi MAC address, phone number, etc.\r\n99 src_file_path/n/dst_file_path Copy a file from src_file_path to destination dst_file_path\r\nTable 6 Detail of SControl sub commands\r\nThe data sent back to the remote server is encrypted using TEA algorithm. Because UDP is a sessionless protocol by design,\r\nthere is no guarantee that all transmitted packets will be received by the destination without any loss. To mitigate this risk,\r\nSpyDealer creates an effective session layer on top of UDP. SpyDealer divides the original data into multiple groups and\r\neach group has no more than 1000 bytes data. These groups are sent one by one and every transition is repeated three times.\r\nIn order to restore the data at the server side, an additional identification code is added at the beginning of each grouped\r\ndata. Hence, the format of the final group data is shown below:\r\nMulPacket\\n\u003cIMEI\u003e\\n\u003cUUID\u003e\\n\u003c#TotalGroups \u003e\\n\u003cCurrentGroupId\u003e\\n\u003cData\u003e\r\nIMEI: IMEI of the compromised device\r\nUUID: This field consists of two parts. The first part is an integer starting from 0 and increases one by one for each\r\ntransition. After reaching 10,000,000, it will be reset to 0. The second part is the current time in milliseconds\r\n#TotalGroups: Total number of groups\r\nCurrentGroupId: The index of the current group and it starts from 1\r\nData: The payload data\r\nPrivate Data Collection\r\nAs discussed in section Command \u0026 Control, we have seen this malware employ many mechanisms to collect private data.\r\nAdditionally, with root privilege, SpyDealer also tries to gather data from more than 40 common apps falling in different\r\ncategories including social, communication, browser, mobile mail client, etc. The targeted apps are listed in Table 7.\r\nID Package Name App Name\r\n1 com.facebook.katana Facebook\r\n2 com.tencent.mm WeChat\r\n3 com.whatsapp WhatsApp\r\n4 com.skype.raider/com.skype.rover Skype\r\n5 jp.naver.line.android Line\r\n6 com.viber.voip Viber\r\n7 com.tencent.mobileqq QQ\r\n8 org.telegram.messenger Telegram\r\n9 com.alibaba.mobileim Ali WangXin\r\n10 kik.android Kik\r\n11 com.icq.mobile.client icq video calls \u0026 chat\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/\r\nPage 14 of 23\n\n12 com.keechat.client KeeChat Messenger\r\n13 com.oovoo ooVoo Video Call, Text \u0026 Voice\r\n14 com.instanza.cocovoice Coco\r\n15 com.bbm BBM\r\n16 com.gtomato.talkbox TalkBox Voice Messenger\r\n17 com.rebelvox.voxer Voxer Walkie Talkie Messenger\r\n18 com.immomo.momo MOMO\r\n19 com.zing.zalo Zalo\r\n20 com.loudtalks Zello PTT Walkie Talkie\r\n21 com.duowan.mobile 手机YY\r\n22 im.yixin 易信\r\n23 cn.com.fetion 飞信\r\n24 com.sgiggle.production Tango\r\n25 com.renren.mobile.android 人人\r\n26 net.iaround 遇见\r\n27 com.sina.weibo Sina Weibo\r\n28 com.tencent.WBlog Tencent Weibo\r\n29 org.mozilla.firefox Firefox Browser\r\n30 com.oupeng.browser Oupeng Browser\r\n31 com.android.browser Android Native Browser\r\n32 com.baidu.browser.apps Baidu Browser\r\n33 com.tencent.mtt Tencent QQ Browser\r\n34 com.lenovo.browser Lenovo Browser\r\n35 com.qihoo.browser Qihoo Browser\r\n36 com.taobao.taobao Taobao\r\n37 com.netease.mobimail NetEase Mail\r\n38 com.tencent.androidqqmail Tencent QQ Mail\r\n39 com.corp21cn.mail189 189 Mail\r\n40 cn.cj.pe 139 Mail\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/\r\nPage 15 of 23\n\n41 com.baidu.netdisk Baidu Net Disk\r\n42 com.l Smart Shopping List - Listonic\r\n43 com.dewmobile.kuaiya Zapya\r\n44 com.funcity.taxi.passenger Kuaidi Taxi\r\nTable 7 The full list of the targeted apps\r\nTo gather sensitive data from above apps, SpyDealer first drops an executable binary named dealapp from local assets to the\r\napp’s own data directory and then copies it to /system/bin/dealapp with superuser privilege. The /system/bin/dealapp is then\r\nlaunched to gather kinds of data from target apps. The data to be collected is not only limited to database files, but also\r\nincludes some configuration and other specific files. Table 8 listed some target apps and various directories, databases and\r\nfiles which the malware tries to access.\r\nTable 8 Files which SpyDealer tries to access\r\nApp Name Files Accessed\r\nFacebook /data/data/com.facebook.katana/databases/contacts_db2\r\nWeChat /data/data/com.tencent.mm/MicroMsg/***/EnMicroMsg.db\r\nWhatsApp\r\n/data/data/com.whatsapp/shared_prefs/RegisterPhone.xml\r\n/data/data/com.whatsapp/shared_prefs/registration.RegisterPhone.xml\r\nSkype /data/data/com.skype.raider/files/\u003caccount_name\u003e/main.db\r\nLine\r\n/data/data/jp.naver.line.android/databases/e2ee\r\n/data/data/jp.naver.line.android/databases/naver_line\r\nViber\r\n/data/data/com.viber.voip/files/preferences/reg_viber_phone_num\r\n/data/data/com.viber.voip/files/preferences/display_name\r\n/data/data/com.viber.voip/databases/viber_messages\r\nQQ /data/data/com.tencent.mobileqq/databases/*.db\r\nTelegram\r\n/data/data/org.telegram.messenger/files/cache4.db\r\n/data/data/org.telegram.messenger/shared_prefs/userconfing.xml\r\nKik\r\n/data/data/kik.android/shared_prefs/KikPreferences.xml\r\n/data/data/kik.android/databases/kikCoreDatabase.db\r\nicq video calls \u0026 chat /data/data/com.icq.mobile.client/databases/agent-dao\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/\r\nPage 16 of 23\n\nKeeChat Messenger\r\n/data/data/com.keechat.client/app_Parse/currentUser\r\n/data/data/com.keechat.client/databases\r\nooVoo Video Call, Text \u0026 Voice /data/data/com.oovoo/databases/Core.db\r\nBBM\r\n/data/data/com.bbm/files/bbmcore/ads.db\r\n/data/data/com.bbm/files/bbmcore/files/\r\nTalkBox Voice Messenger\r\n/data/data/com.gtomato.talkbox/shared_prefs/TalkBoxData.xml\r\n/data/data/com.gtomato.talkbox/databases/*_conversations.db\r\nVoxer Walkie Talkie Messenger /data/data/com.rebelvox.voxer/databases/rv.db\r\nZello PTT Walkie Talkie /data/data/com.loudtalks/shared_prefs/preferences.xml\r\nTango\r\n/data/data/com.sgiggle.production/files/userinfo.xml.db\r\n/data/data/com.sgiggle.production/files/profilecache.db\r\n/data/data/com.sgiggle.production/files/tc.db\r\nFireFox Browser\r\n/data/data/org.mozilla.firefox/files/mozilla/browser.db\r\n/data/data/org.mozilla.firefox/files/mozilla/cookies.sqlite\r\n/data/data/org.mozilla.firefox/files/mozilla/signons.sqlite\r\nOupeng Browser\r\n/data/data/com.oupeng.browser/databases/bookmark.db\r\n/data/data/com.oupeng.browser/databases/webviewCookiesChromium.db\r\n/data/data/com.oupeng.browser/databases/webview.db\r\nAndroid Native Browser /data/data/com.android.browser/databases/webviewCookiesChromium.db\r\nBaidu Browser\r\n/data/data/com.baidu.browser.apps/databases/webviewCookiesChromium.db\r\n/data/data/com.baidu.browser.apps/databases/flyflowdownload.db\r\nTencent QQ Browser\r\n/data/data/com.tencent.mtt/databases/webviewCookiesChromium.db\r\n/data/data/com.tencent.mtt/databases/default_user.db\r\n/data/data/com.tencent.mtt/databases/webview_x5.db\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/\r\nPage 17 of 23\n\nLenovo Browser\r\n/data/data/com.lenovo.browser/databases/lebrowser.db\r\n/data/data/com.lenovo.browser/databases/xldownloads.db\r\nQihoo Browser\r\n/data/data/com.qihoo.browser/databases/browser.db\r\n/data/data/com.qihoo.browser/databases/downloads.db\r\n/data/data/com.qihoo.browser/databases/webviewCookiesChromium.db\r\n/data/data/com.qihoo.browser/databases/webview.db\r\nNetEase Mail /data/data/com.netease.mobimail/databases/mmail\r\nTencent QQ Mail\r\n/data/data/com.tencent.androidqqmail/databases/AccountInfo\r\n/data/data/com.tencent.androidqqmail/databases/QMMailDB\r\n189 Mail /data/data/com.corp21cn.mail189/databases/preferences_storage\r\nBaidu Net Disk /data/data/com.baidu.netdisk/databases/account.db\r\nZapya\r\n/data/data/com.dewmobile.kuaiya/databases/im_user.db\r\n/data/data/com.dewmobile.kuaiya/databases/transfer20.db\r\nThe dealapp binary can also be updated from the remote server as shown in Figure 11.\r\nFigure 11 dealapp update procedure\r\nAccessibility Service Abuse\r\nAn increasing number of apps encrypt data before storing it into databases, especially for some popular communication and\r\nsocial apps. App developers do this to protect user data from malicious attacks like this one. To avoid this obstacle, starting\r\nin version 1.9.3, SpyDealer implemented an extra accessibility service to steal plain messages by directly extracting texts\r\nfrom the screen. Figure 12 depicts the accessibility service configuration in which the package names of targeted apps are\r\ndeclared.\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/\r\nPage 18 of 23\n\nFigure 12 Configuration of the accessibility service\r\nNormally enabling the accessibility service requires the user’s interaction to manually go through the device’s settings.\r\nHowever, with root privilege, SpyDealer can silently enable the accessibility service without a user’s participation. The\r\ncommand used to enable the accessibility service is depicted in Figure 13.\r\nFigure 13 Enable accessibility service silently via executing command with root privilege\r\nWith the accessibility service enabled, SpyDealer primarily listens for TYPE_NOTIFICATION _STATE_CHANGED and\r\nCONTENT_CHANGE_TYPE_SUBTREE events. A notification is posted when a message comes and this triggers the\r\nTYPE_NOTIFICATION_STATE _CHANGED event. Usually, a user will click the notification to view the message, which\r\nbrings the detail view to the front. This behavior further fires the CONTENT_CHANGE_ TYPE_SUBTREE event. Once\r\nthe CONTENT_CHANGE_ TYPE_SUBTREE event arrives, the malware starts to travel through the current screen to\r\nextract plain text messages. Although the number of messages is limited by the dimensions of the device’s screen,\r\ncontinuously monitoring the screen can help to extract the complete messages. After gathering the messages, SpyDealer\r\nsends them to the remote server (Figure 14) along with other information including IMEI, IMSI, package name and app\r\nname.\r\nFigure 14 Send extracted data with other information to the remote server\r\nSurveillance\r\nSpyDealer is capable of surveilling a compromised victim through multiple means including recording phone call and\r\nsurrounding audio, recording video, taking photos, capturing screenshots, and monitoring geographical locations. It takes\r\nthese actions based on commands it receives from the command and control channels described above.\r\nRecord Phone Call and Surrounding Audio\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/\r\nPage 19 of 23\n\nSpyDealer registers a PhoneStateListener to monitor the phone call status. Once there is an active phone call, the audio\r\nrecording procedure is triggered. The recorded audio data is finally compressed in zip format and stored to\r\n/sdcard/.tmp/audio/\u003ccurrent_time_in_yyyyMMddHHmmss\u003e_\u003cphone_call_num\u003e\u003cphone_call_ date\u003e.zip\r\nA message in the format “audio\\n\u003cIMSI\u003e\\n\u003cIMEI\u003e\\n\u003czip_file_path\u003e” will be sent to the remote server after audio is\r\nsuccessfully recorded.\r\nIn addition to recording phone calls, SpyDealer is also capable of recording surrounding, ambient audio. It can be\r\nconfigured to record audio at a specific time range. The recorded audio file is stored to the following path in zip format\r\n/sdcard/.tmp/environmentaudioaudio/\u003ccurrent_time_in_yyyyMMddHHmmss\u003e.zip\r\nAudio files recorded more than seven days ago are automatically deleted from the directory\r\n/sdcard/.tmp/environmentaudioaudio.\r\nRecord Video\r\nSpyDealer checks to see if the camera is available to record a video every three seconds. In the Android system, a preview\r\nsurface is required to take a video, which means the user is aware of the video recording event. To avoid this, SpyDealer\r\nintentionally sets a very tiny preview surface which, in this case, is 3.0dip * 3.0dip in dimensions. Each video is recorded for\r\n10 seconds and is finally stored to\r\n/data/data/\u003cpackage_name\u003e/files/cameravideo/\u003ccurrent_time_in_yyyyMMddHHmmss\u003e.zip\r\nIf a network connection is available, SpyDealer sends a message in the format “cameravideo\\n\u003cIMSI\u003e\\n\u003cIMEI\u003e\r\n\\n\u003czip_file_path\u003e” to the remote server.\r\nFigure 15 A tiny surface view is defined for recording video silently\r\nTake Photos\r\nSimilar to recording video without a user’s awareness, this malware creates another tiny preview surface which is\r\n0.100000024dip * 0.100000024dip in dimensions before taking a photo. Using the front or rear camera depends on the\r\nconfiguration which the attacker can set remotely. The taken photo is stored to\r\n/data/data/\u003cpackage_name\u003e/files/camerapic/camera_\u003ccurrent_time_in_millseconds \u003e.jpg\r\nA message indicating a photo is taken is then sent to the remote server and the message is in the format\r\n“camerapic\\n\u003cIMSI\u003e\\n\u003cIMEI\u003e\\n\u003cpicture_path\u003e”.\r\nMonitor Geographic Location\r\nSpyDealer dynamically registers a broadcast receiver listening for screen’s status. Whenever the screen is turned off, it tries\r\nto get the geographical location via GPS. At the same time, a location listener is registered to track the device’s location.\r\nThis location listener is notified with the updated location every 10 seconds or whenever 100 meters of movement occurs\r\nbetween location updates. If a network connection is available, the location data will be sent to the remote server in the\r\nformat\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/\r\nPage 20 of 23\n\nLGPS\\n\u003cIMEI\u003e\\n\u003cIMSI\u003e\\n\u003clongitude\u003e\\n\u003clatitude\u003e\\n\u003ccurrent_time_in_yyyy-MM-dd hh:mm:ss\u003e\r\nHowever, the location data is saved locally if there is no network connection and will be uploaded later when the connection\r\nis restored.\r\nThere is an icon indicating the usage of GPS on the status bar when the GPS is active. To avoid a user’s suspect, SpyDealer\r\nstops tracking the device’s location once the device’s screen is turned on.\r\nOther Functionalities\r\nBesides many powerful capabilities described above, SpyDealer is also capable of automatically answering an incoming\r\nphone call and dynamically loading plugins downloaded from the remote server.\r\nIf the incoming phone call is from a specific number, which can be remotely configured, this malware will simulate an\r\nearphone plugged event to automatically answer the phone call, which is detailed in Figure 16. With this functionality,\r\nSpyDealer can let the victim miss phone calls without their awareness.\r\nFigure 16 Implementations of automatically answer an incoming phone call\r\nConclusion\r\nSpyDealer makes use of the commercial rooting app “Baidu Easy Root” to gain root privilege and maintain persistence on\r\nthe compromised device. It employs a wide array of mechanisms to steal private information. At the same time, it accesses\r\nand exfiltrates sensitive data from more than 40 different popular apps with root privilege. With accessibility service, this\r\nmalware is also capable of extracting plain text messages from target apps at real time. To remotely control the victim\r\ndevice, the malware implements three different C2 channels and support more than 50 commands.\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/\r\nPage 21 of 23\n\nCustomers of Palo Alto Networks are protected by our WildFire, URL filtering services, Traps for Android. WildFire is able\r\nto automatically classify SpyDealer samples as malicious and AutoFocus users can track this malware using the SpyDealer\r\ntag. Traps for Android protects Android devices, it automatically intercepts malicious apps installed on the device by\r\nleveraging WildFire and protect the device from SpyDealer apps by blocking the app and notifying the user.\r\nAcknowledgements\r\nWe would like to thank Claud Xiao and Ryan Olson from Palo Alto Networks for their assistance during the analysis.\r\nAppendix A - IOCs\r\nSamples of SpyDealer\r\nea472586b6f958fb79051aee5b7b7134dc37818b72ab97d1d542a9f94fdc63f7\r\n9973133dcdaeea5a7d519359ba2272db5de9e9bb5759d169e0454632c3d91401\r\nec3b506c7fc80717d9ae19ca46ad2599d8d8d4880d6b980da03f054bbcf00cbd\r\ne9a0b8b780999a64838c492b70032a076d052eb321c99d68ab1d230bd91d0100\r\n4e4a31c89613704bcace4798335e6150b7492c753c95a6683531c2cb7d78b3a2\r\nc39a2962c2734f6350cd45a399c58f203cd1b97aa12bec166a27c0fffc850280\r\n13aa7fdf838a7c0bb79a805db25c99d75ccf4088b65c4e1f3741d3c467376faf\r\n77c196544a2a778c63579f1a205ffd631b1999d69043679ab60b13cedc13db0e\r\nd991e1ef7c8a502079d71e2d779b3ae8f081e2af9d1e2709f08b72a7de2a519e\r\n1a941833df8434c7e96ca3cda4465f3cdbb6bd239e6bfd939eb603948b975cd7\r\nb913bdb396d87c1f71073cdfef901697b512bd409c59447bcde1ddab07e5b7e6\r\ne4604fc23d2c89707748e42c8ae8631b8e1db235ec3c9b2488dae4963de46b1a\r\n8001e0258b13cd6971ef1d227cfc9c2f51036f1faf400cff7042fb099d1d11ab\r\nThe downloaded raw.zip which contains exploits stolen from “Baidu Easy Root”\r\ncfd0a4f266a51c45ff7b33e5854bc62a49cfc769e62e1d73dd06ff92a7088f51\r\nAppendix B - IP/Domain List of C2 Servers\r\nIP Country IP Country IP Country\r\n219.150.214.117 China 110.167.201.44 China 192.160.2.78 United States\r\n222.208.85.119 China 116.52.154.114 China 124.117.219.254 China\r\n124.117.237.46 China 116.53.130.192 China 203.156.200.214 China\r\n61.186.137.213 China 218.10.2.237 China 220.171.99.118 China\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/\r\nPage 22 of 23\n\n222.82.238.70 China 222.82.253.110 China 121.26.229.201 China\r\n202.103.207.227 China 218.65.18.193 China 222.82.228.134 China\r\n219.146.144.162 China 222.86.225.194 China 121.12.154.233 China\r\n124.117.249.126 China 117.40.226.57 China 124.117.246.78 China\r\n202.97.135.68 China 222.82.250.62 China 124.117.254.194 China\r\n59.48.105.14 China 61.166.10.147 China 120.68.194.138 China\r\n59.33.110.101 China 124.117.238.62 China 47.88.100.148 United States\r\n218.10.191.6 China 202.103.202.227 China 60.223.252.190 China\r\n120.76.118.153 China 49.116.41.219 China 222.87.144.137 China\r\n124.119.15.6 China 210.26.168.71 China 222.82.252.18 China\r\n222.82.236.226 China 192.160.2.76 United States 218.84.75.243 China\r\n125.46.78.60 China 222.82.229.66 China 120.76.118.53 China\r\n120.68.46.150 China 218.58.124.146 China 222.172.200.200 China\r\n58.242.244.70 China 218.84.35.39 China 124.117.249.170 China\r\n124.117.232.114 China 222.82.252.138 China 124.117.212.218 China\r\n221.212.235.46 China 222.82.230.202 China 118.122.180.173 China\r\n124.235.96.235 China 120.77.177.167 China 222.88.154.148 China\r\n60.30.134.99 China 222.82.230.146 China 120.68.203.46 China\r\n222.82.250.122 China 124.117.218.218 China 220.167.224.171 China\r\n60.164.210.48 China 222.82.210.250 China 222.88.118.104 China\r\n218.31.175.32 China 27.191.191.2 China 124.117.249.26 China\r\n124.117.217.194 China softupdate.eicp.net China 221.235.152.85 China\r\n220.171.24.178 China 60.28.53.174 China 124.117.218.18 China\r\n222.80.52.5 China 113.12.190.254 China 222.208.163.112 China\r\n125.39.138.47 China 124.117.232.198 China 59.46.177.140 China\r\n124.117.236.194 China\r\nSource: https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
	],
	"report_names": [
		"unit42-spydealer-android-trojan-spying-40-apps"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433980,
	"ts_updated_at": 1775826778,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d1d1e8022f86f79dae4e0fd6daec7a49f02ee70c.pdf",
		"text": "https://archive.orkl.eu/d1d1e8022f86f79dae4e0fd6daec7a49f02ee70c.txt",
		"img": "https://archive.orkl.eu/d1d1e8022f86f79dae4e0fd6daec7a49f02ee70c.jpg"
	}
}