S0408: FlexiSpy
Analyst context for executives and security teams
FlexiSpy is an Android-focused ATT&CK mobile software entry for commercial surveillanceware that markets itself as parental control and employee monitoring. Its value for defenders is not the brand name alone; it represents a high-risk mobile monitoring pattern: collection of communications, local data, location, audio, video, screen content, and keystrokes, with concealment and persistence behaviors also mapped by ATT&CK.
Executive priority
Treat this as a mobile privacy, insider-risk, and business-continuity concern where Android devices carry corporate identity, messaging, customer data, or operational access. Leaders should ask whether managed devices can prove which monitoring apps are installed, what sensitive permissions are granted, whether hidden or obfuscated apps are visible to security tooling, and how incident response would handle potential credential, message, location, audio, or camera exposure. It is also relevant to compliance evidence because the behavior touches personal data, communications, and employee monitoring boundaries.
Technical view
ATT&CK lists FlexiSpy as Android platform software and provides no official detection text. Coverage should therefore be validated from the mapped behaviors: obfuscated files or traffic, access to stored application and local system data, keylogging, installed software discovery, network connection discovery, audio/video/screen capture, location tracking, non-standard port use, broadcast receiver persistence, runtime API hijacking, suppressed launcher icon, file deletion, and collection of calendar, contacts, and SMS data. SOC and IR teams should test whether mobile telemetry can connect an installed package to sensitive permissions, background execution triggers, hidden application indicators, unusual local data access, and network flows that do not match expected protocol/port patterns.
Likely telemetry
- MDM/UEM mobile application inventory for Android devices
- Android package metadata, signing details, install source, and application visibility/launcher-icon state where available
- Permission grants for microphone, camera, location, contacts, calendar, SMS, storage, accessibility, screen capture, and background location where available
- Mobile EDR or device security events for obfuscated applications, suspicious persistence via broadcast receivers, and runtime/API tampering indicators
- Network telemetry from mobile devices, VPN, secure web gateway, DNS, proxy, or firewall logs, especially protocol/port mismatches and unusual destinations
Detection direction
- Do not rely on name-based detection alone; validate behavior-based visibility across the ATT&CK relationships because surveillanceware may be obfuscated or hidden from the launcher.
- Tune mobile detections for combinations of sensitive permissions plus background execution, such as location, microphone, camera, SMS, contacts, calendar, screen capture, and persistence-related broadcast receivers.
- Review false positives carefully: legitimate enterprise management, accessibility, parental control, or employee monitoring tools may request similar permissions, so detections should incorporate authorization status, device ownership, approved software lists, and business justification.
- Validate whether network controls can identify non-standard port usage and whether mobile traffic is actually routed through observable enterprise telemetry.
- For IR, assume potential exposure of credentials and sensitive communications only when local evidence supports it; the ATT&CK mapping includes keylogging and data collection behaviors, but the object does not provide environment-specific impact evidence.
Mitigation priorities
- Establish and enforce an approved mobile application policy for managed Android devices, including explicit rules for monitoring and surveillance applications.
- Use MDM/UEM controls to restrict unapproved app installation, manage high-risk permissions, and maintain auditable app and permission inventories.
- Prioritize controls around sensitive mobile data: SMS, contacts, calendar, local files, location, microphone, camera, screen capture, and accessibility-related capabilities where supported by the platform and management stack.
- Require incident response playbooks for suspected mobile surveillanceware that include device isolation, evidence preservation, application inventory review, permission review, and credential reset decisions when keylogging or data access is substantiated.
- Support compliance and HR/legal review for any employee monitoring use so authorized tools are distinguishable from unauthorized surveillanceware in detection and audit workflows.
Analyst notes and limits
The most important defender question is whether the organization can see enough mobile state to distinguish an authorized monitoring tool from an unauthorized surveillance application. The relationship set is broad and includes collection, discovery, persistence, concealment, and cleanup behaviors, which makes local telemetry quality more important than any single indicator.
MITRE provides no official detection guidance for this object. The supplied ATT&CK platform is Android, while the description notes iOS and Android and says comprehensive public analysis was only found for Android. Tactics are not specified. This take does not assert active exploitation, attribution, customer exposure, or guaranteed detection coverage.
FlexiSpy
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1513 | Screen Capture | FlexiSpy can take screenshots of other applications.CitationFlexiSpy-Features |
| Mobile | T1429 | Audio Capture | FlexiSpy can record both incoming and outgoing phone calls, as well as microphone audio.CitationCyberMerchants-FlexiSpy |
| Mobile | T1409 | Stored Application Data | FlexiSpy uses a `FileObserver` object to monitor the Skype and WeChat database file and shared preferences to retrieve chat messages, account information, and profile pictures of the account owner and chat participants. FlexiSpy can also spy on popular applications, including Facebook, Hangouts, Hike, Instagram, Kik, Line, QQ, Snapchat, Telegram, Tinder, Viber, and WhatsApp.CitationFortiGuard-FlexiSpy |
| Mobile | T1421 | System Network Connections Discovery | FlexiSpy can collect a list of known Wi-Fi access points.CitationFlexiSpy-Features |
| Mobile | T1636.001 | Calendar Entries Sub-technique | FlexiSpy can collect the device calendars.CitationCyberMerchants-FlexiSpy |
| Mobile | T1417.001 | Keylogging Sub-technique | FlexiSpy can record keystrokes and analyze them for keywords.CitationFlexiSpy-Features |
| Mobile | T1533 | Data from Local System | FlexiSpy can monitor device photos and can also access browser history and bookmarks.CitationFlexiSpy-Features |
| Mobile | T1628.001 | Suppress Application Icon Sub-technique | |
| Mobile | T1509 | Non-Standard Port | FlexiSpy can communicate with the command and control server over ports 12512 and 12514.CitationFortiGuard-FlexiSpy |
| Mobile | T1406 | Obfuscated Files or Information | FlexiSpy encrypts its configuration file using AES.CitationFortiGuard-FlexiSpy |
| Mobile | T1512 | Video Capture | FlexiSpy can record video.CitationCyberMerchants-FlexiSpy |
| Mobile | T1624.001 | Broadcast Receivers Sub-technique | |
| Mobile | T1418 | Software Discovery | FlexiSpy can retrieve a list of installed applications.CitationFlexiSpy-Features |
| Mobile | T1630.002 | File Deletion Sub-technique | FlexiSpy can delete data from a compromised device.CitationCyberMerchants-FlexiSpy |
| Mobile | T1636.004 | SMS Messages Sub-technique | FlexiSpy can intercept SMS and MMS messages as well as monitor messages for keywords.CitationCyberMerchants-FlexiSpyCitationFlexiSpy-Features |
| Mobile | T1430 | Location Tracking | FlexiSpy can track the device's location.CitationCyberMerchants-FlexiSpy |
| Mobile | T1625.001 | System Runtime API Hijacking Sub-technique | FlexiSpy installs boot hooks into `/system/su.d`.CitationFortiGuard-FlexiSpy |
| Mobile | T1636.003 | Contact List Sub-technique | FlexiSpy can collect device contacts.CitationCyberMerchants-FlexiSpy |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b0597de9b3bc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FortiGuard-FlexiSpy
K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.
Open source URL -
[2]
CyberMerchants-FlexiSpy
Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.
Open source URL -
[3]
FlexiSpy-Website
FlexiSpy. (n.d.). FlexiSpy. Retrieved September 4, 2019.
Open source URL -
[4]
mitre-attack S0408Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.