S0324: SpyDealer
Analyst context for executives and security teams
SpyDealer is an Android malware entry in ATT&CK focused on stealing sensitive data from mobile devices. Its mapped behaviors make it material beyond a single handset: it is associated with privilege escalation, runtime code download, collection of stored app data, call logs, contacts, SMS, audio, video, screen content, location, and network configuration, plus persistence and out-of-band communications techniques. For leaders, the practical issue is whether mobile devices that access corporate data are governed, monitored, and recoverable enough to treat a compromised phone as a real identity, privacy, and business-continuity incident.
Executive priority
Prioritize SpyDealer as a mobile data-exposure and surveillance risk for Android environments, especially where phones are used for executive communications, regulated data, MFA, messaging, or operational workflows. The key business questions are: which Android devices can access sensitive systems, what mobile telemetry is retained, how quickly can the organization isolate or re-enroll a suspicious device, and whether mobile controls provide audit evidence for permissions, app provenance, patch posture, and incident response actions.
Technical view
ATT&CK does not provide official detection text for SpyDealer, so SOC and IR teams should validate coverage through the related mobile techniques rather than assuming a malware-specific analytic exists. On Android, focus on suspicious permission use and abuse around microphone, camera, location, contacts, call logs, SMS, screen capture, stored application data, broadcast receivers, runtime code loading, privilege escalation indicators, system binary modification, and network or out-of-band communication paths. Because tactics are not specified in the supplied object, map detections to the observed technique behaviors and local mobile-device-management or endpoint telemetry rather than to a fixed ATT&CK tactic chain.
Likely telemetry
- Android application inventory, package metadata, signing/provenance, and installation source records
- Mobile device management or enterprise mobility logs showing device posture, OS version, enrollment state, permissions, and compliance state
- Android permission grants and requests for RECORD_AUDIO, camera, location, contacts, call log, SMS, screen capture, and background location where available
- Runtime indicators such as dynamic code loading, newly downloaded executable components, or unexpected application updates outside normal channels
- Network telemetry from mobile gateways, DNS/proxy/VPN, cellular or Wi-Fi egress where available
Detection direction
- Build behavior-based mobile detections around the mapped techniques instead of relying on the SpyDealer name alone, since official ATT&CK detection guidance is not supplied.
- Validate whether Android telemetry can show high-risk permission combinations, especially access to SMS, contacts, call logs, microphone, camera, location, and screen capture by apps that do not have a clear business justification.
- Tune for false positives from legitimate communications, conferencing, navigation, accessibility, and device-management applications; prioritize unusual combinations, new installs, sideloaded apps, runtime code download, or noncompliant devices.
- Assess blind spots created by BYOD, unmanaged Android devices, lack of mobile network visibility, limited OS logging, and privacy restrictions that may prevent collection of the needed evidence.
- Use relationship context to hunt for chained behavior: privilege escalation enabling access to stored app data, broadcast receivers supporting persistence, runtime code download evading static review, and out-of-band channels reducing network detection visibility.
Mitigation priorities
- Confirm which Android devices are allowed to access corporate data and require enrollment, compliance checks, patch currency, and the ability to quarantine or wipe where policy allows.
- Restrict app installation sources and review mobile application risk, especially for apps requesting sensitive permissions or downloading code after installation.
- Reduce data exposure by limiting corporate data stored on devices and enforcing containerization or managed app controls where appropriate.
- Prioritize vulnerability and patch management for Android devices because the mapped behavior includes exploitation for privilege escalation.
- Harden permission governance for microphone, camera, location, SMS, contacts, call logs, screen capture, and background access; require business justification and periodic review.
Analyst notes and limits
The supplied ATT&CK object identifies SpyDealer as Android malware that exfiltrates sensitive data and provides a Palo Alto Networks reference, but no official ATT&CK detection section. The strongest defensive value comes from the related techniques: they describe the data types and device capabilities defenders should validate in mobile monitoring, policy, and response procedures.
This take is limited to the supplied ATT&CK fields, external references, and relationships. It does not assert current activity, attribution, prevalence, indicators of compromise, or guaranteed detection. Local device ownership model, MDM coverage, Android version mix, privacy constraints, and available forensic telemetry will determine actual defensive coverage.
SpyDealer
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1513 | Screen Capture | SpyDealer abuses Accessibility features to steal messages from popular apps such as WeChat, Skype, Viber, and QQ.CitationPaloAlto-SpyDealer |
| Mobile | T1407 | Download New Code at Runtime | SpyDealer downloads and executes root exploits from a remote server.CitationPaloAlto-SpyDealer |
| Mobile | T1636.002 | Call Log Sub-technique | SpyDealer harvests phone call history from victims.CitationPaloAlto-SpyDealer |
| Mobile | T1645 | Compromise Client Software Binary | SpyDealer maintains persistence by installing an Android application package (APK) on the system partition.CitationPaloAlto-SpyDealer |
| Mobile | T1644 | Out of Band Data | SpyDealer enables remote control of the victim through SMS channels.CitationPaloAlto-SpyDealer |
| Mobile | T1409 | Stored Application Data | SpyDealer exfiltrates data from over 40 apps such as WeChat, Facebook, WhatsApp, Skype, and others.CitationPaloAlto-SpyDealer |
| Mobile | T1430 | Location Tracking | SpyDealer harvests location data from victims.CitationPaloAlto-SpyDealer |
| Mobile | T1636.003 | Contact List Sub-technique | SpyDealer harvests contact lists from victims.CitationPaloAlto-SpyDealer |
| Mobile | T1404 | Exploitation for Privilege Escalation | SpyDealer uses the commercial rooting app Baidu Easy Root to gain root privilege and maintain persistence on the victim.CitationPaloAlto-SpyDealer |
| Mobile | T1624.001 | Broadcast Receivers Sub-technique | SpyDealer registers the broadcast receiver to listen for events related to device boot-up.CitationPaloAlto-SpyDealer |
| Mobile | T1636.004 | SMS Messages Sub-technique | SpyDealer harvests SMS and MMS messages from victims.CitationPaloAlto-SpyDealer |
| Mobile | T1429 | Audio Capture | SpyDealer can record phone calls and surrounding audio.CitationPaloAlto-SpyDealer |
| Mobile | T1422 | System Network Configuration Discovery | SpyDealer harvests the device phone number, IMEI, and IMSI.CitationPaloAlto-SpyDealer |
| Mobile | T1512 | Video Capture | SpyDealer can record video and take photos via front and rear cameras.CitationPaloAlto-SpyDealer |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 69390208bfe1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
PaloAlto-SpyDealer
Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.
Open source URL -
[2]
SpyDealer
(Citation: PaloAlto-SpyDealer)
-
[3]
mitre-attack S0324Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.