S0421: GolfSpy
GolfSpy is Android spyware deployed by the group Bouncing Golf.[1]
Analyst context for executives and security teams
GolfSpy is an Android spyware entry in ATT&CK associated with the Bouncing Golf cyberespionage campaign. Its practical significance is that it maps to mobile behaviors that can expose sensitive business data from personal or managed devices: clipboard contents, contacts, SMS, call logs, local files, location, audio, video, and screen content. For leaders, this is less about one malware name and more about whether the organization can govern, monitor, and respond to high-risk mobile apps that request broad permissions and move collected data over a command-and-control channel.
Executive priority
Prioritize this as a mobile data-loss and executive/field-user surveillance risk, especially where Android devices access corporate messaging, identity workflows, customer data, or operational environments. Ask whether mobile device management, application vetting, permission governance, and incident response playbooks can produce evidence for audit and investigation: what app was installed, what permissions it held, what data it could access, and what network destinations it contacted. Because MITRE provides no official detection guidance for GolfSpy, coverage should be validated through control evidence rather than assumed from endpoint or network tooling.
Technical view
For SOC, detection engineering, and IR teams, validate Android-focused coverage against the related ATT&CK behaviors: obfuscated files or information, clipboard access, software/process/system discovery, audio/video/screen capture, location tracking, local data collection, archiving collected data, broadcast receiver persistence, file deletion, call log/contact/SMS collection, and exfiltration over a C2 channel. Review whether mobile telemetry can show suspicious permission combinations, registered broadcast receivers, app inventory changes, use of sensitive Android content providers or APIs, creation of compressed/encrypted staging files, and outbound communications from untrusted apps. Treat the Bouncing Golf relationship as threat-intelligence context, not proof of local exposure.
Likely telemetry
- MDM/EMM device inventory, Android version, compliance state, and installed application inventory
- Android application manifest and static-analysis data, including requested permissions and registered broadcast receivers
- Mobile app permission state for microphone, camera, location, contacts, SMS, call logs, storage, clipboard, and screen capture-related capabilities where available
- Mobile network telemetry such as DNS, proxy, firewall, VPN, or secure web gateway logs showing outbound app or device communications
- Mobile threat defense or endpoint telemetry for suspicious app behavior, obfuscation, local file access, archiving, deletion, and command-and-control-like traffic
Detection direction
- Baseline normal Android app permissions by business role and flag apps that combine surveillance-style permissions such as microphone, camera, location, contacts, SMS, call logs, storage, and screen capture-related access.
- Validate whether tools can observe behavior from Android apps, not just installation events; many relevant techniques depend on API use, content-provider access, local file staging, or background event triggers.
- Correlate app installation or update events with new sensitive permissions, broadcast receiver registration, discovery activity, archive creation, and outbound network connections.
- Tune for false positives from legitimate collaboration, navigation, backup, accessibility, or device-management apps that may request sensitive permissions for valid reasons.
- Pay attention to mobile blind spots: unmanaged devices, bring-your-own-device privacy limits, lack of per-app network attribution, encrypted traffic, sideloaded apps, and limited forensic visibility after file deletion.
Mitigation priorities
- Establish or confirm managed Android enrollment, application inventory, OS/version compliance, and the ability to quarantine or remove risky apps from corporate-access devices.
- Restrict sideloading and require application vetting for devices that access corporate data, with special review for apps requesting broad surveillance or data-access permissions.
- Use least-privilege mobile access: limit which devices and apps can reach corporate email, messaging, identity prompts, files, and administrative workflows.
- Review permission governance and user prompts for microphone, camera, location, contacts, SMS, call logs, storage, clipboard, and screen capture capabilities, aligned to business need.
- Prepare mobile IR procedures that preserve app packages, permission state, local artifacts, and network evidence before remote wipe or remediation when investigation is required.
Analyst notes and limits
The supplied ATT&CK object identifies GolfSpy as Android spyware deployed by Bouncing Golf and provides relationship-driven behavior mapping to multiple mobile techniques. The highest defensive value is in validating mobile governance and telemetry against those behaviors, especially sensitive data collection and exfiltration paths. The relationship to Bouncing Golf provides campaign context, including the cited Middle East focus, but should not be interpreted as evidence that any specific organization is targeted or compromised.
MITRE does not provide official detection text, tactics are not specified, aliases are not listed, and the object platform is Android. Technique relationship descriptions include broader Android/iOS context, but this take does not extend GolfSpy platform support beyond Android. Local environment evidence is required to determine exposure, detection coverage, or incident scope.
GolfSpy
GolfSpy is Android spyware deployed by the group Bouncing Golf.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1512 | Video Capture | GolfSpy can record video.CitationTrend Micro Bouncing Golf 2019 |
| Mobile | T1636.004 | SMS Messages Sub-technique | GolfSpy can collect SMS messages.CitationTrend Micro Bouncing Golf 2019 |
| Mobile | T1646 | Exfiltration Over C2 Channel | GolfSpy exfiltrates data using HTTP POST requests.CitationTrend Micro Bouncing Golf 2019 |
| Mobile | T1636.003 | Contact List Sub-technique | GolfSpy can obtain the device’s contact list.CitationTrend Micro Bouncing Golf 2019 |
| Mobile | T1624.001 | Broadcast Receivers Sub-technique | GolfSpy registers for the `USER_PRESENT` broadcast intent and uses it as a trigger to take photos with the front-facing camera.CitationTrend Micro Bouncing Golf 2019 |
| Mobile | T1414 | Clipboard Data | GolfSpy can obtain clipboard contents.CitationTrend Micro Bouncing Golf 2019 |
| Mobile | T1430 | Location Tracking | GolfSpy can track the device’s location.CitationTrend Micro Bouncing Golf 2019 |
| Mobile | T1406 | Obfuscated Files or Information | GolfSpy encodes its configurations using a customized algorithm.CitationTrend Micro Bouncing Golf 2019 |
| Mobile | T1533 | Data from Local System | GolfSpy can collect local accounts on the device, pictures, bookmarks/histories of the default browser, and files stored on the SD card. GolfSpy can list image, audio, video, and other files stored on the device. GolfSpy can copy arbitrary files from the device.CitationTrend Micro Bouncing Golf 2019 |
| Mobile | T1418 | Software Discovery | GolfSpy can obtain a list of installed applications.CitationTrend Micro Bouncing Golf 2019 |
| Mobile | T1426 | System Information Discovery | GolfSpy can obtain the device’s battery level, network operator, connection information, sensor information, and information about the device’s storage and memory.CitationTrend Micro Bouncing Golf 2019 |
| Mobile | T1424 | Process Discovery | GolfSpy can obtain a list of running processes.CitationTrend Micro Bouncing Golf 2019 |
| Mobile | T1429 | Audio Capture | GolfSpy can record audio and phone calls.CitationTrend Micro Bouncing Golf 2019 |
| Mobile | T1636.002 | Call Log Sub-technique | GolfSpy can obtain the device’s call log.CitationTrend Micro Bouncing Golf 2019 |
| Mobile | T1513 | Screen Capture | GolfSpy can take screenshots.CitationTrend Micro Bouncing Golf 2019 |
| Mobile | T1532 | Archive Collected Data | GolfSpy encrypts data using a simple XOR operation with a pre-configured key prior to exfiltration.CitationTrend Micro Bouncing Golf 2019 |
| Mobile | T1630.002 | File Deletion Sub-technique | GolfSpy can delete arbitrary files on the device.CitationTrend Micro Bouncing Golf 2019 |
Groups, software, and campaigns
G0097: Bouncing Golf
Bouncing Golf is a cyberespionage campaign targeting Middle Eastern countries.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e2ba64636fb1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Trend Micro Bouncing Golf 2019
E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.
Open source URL -
[2]
mitre-attack S0421Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.