S0425: Corona Updates
Corona Updates is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.[1]
Analyst context for executives and security teams
Corona Updates is an Android spyware entry tied by MITRE to a pandemic-themed campaign and multiple variants reportedly hosted on Google Play. Its importance is less the theme and more the mobile data-access pattern: the related behaviors include collecting contacts, SMS, call logs, local data, location, audio/video, notifications, and network/system details, with web-protocol communications and possible unencrypted exfiltration. For leaders, this is a reminder that approved-app-store sourcing alone is not sufficient mobile risk control.
Executive priority
Prioritize this as a mobile privacy, identity, and incident-readiness issue for Android fleets, especially where phones handle MFA codes, executive communications, regulated data, or sensitive field operations. Ask whether mobile device governance can prove which apps are installed, which permissions are granted, whether notification/SMS access is controlled, and whether incident responders can collect enough endpoint and network evidence to scope exposure. The object has no ATT&CK-provided detection text, so assurance should come from validated telemetry and policy enforcement, not assumptions.
Technical view
SOC and IR teams should validate Android-focused coverage for spyware behaviors mapped to this object: system and network discovery, Internet and Wi-Fi discovery, system information discovery, audio/video/location collection, notification access, local data access, SMS control, call log/contact/SMS collection, web-protocol communications, and unencrypted non-C2 exfiltration. Review app inventory, package metadata, requested/granted permissions, default SMS-handler status, notification listener access, microphone/camera/location use, content-provider access where available, and outbound HTTP/HTTPS or other cleartext destinations. Because ATT&CK provides no detection guidance or tactics for this malware object, detections should be behavior- and permission-oriented rather than name-only.
Likely telemetry
- Android app inventory and package installation history
- Application requested and granted permissions, including SMS, contacts, call log, location, microphone, camera, notification access, and storage-related permissions
- Default SMS-handler and notification listener configuration state
- Mobile device management or enterprise mobility management compliance events
- Mobile threat defense or endpoint security alerts for spyware-like behavior
Detection direction
- Do not rely only on the Corona Updates name; validate behaviors aligned to the related ATT&CK techniques and suspicious permission combinations.
- Tune for apps that combine sensitive collection permissions with network communications, especially SMS/contact/call-log/location/microphone/camera/notification access.
- Review mobile network logs for unusual web-protocol communication patterns and any cleartext exfiltration-like traffic, while accounting for normal mobile app background traffic.
- Correlate app install time, permission grants, and outbound communications to reduce false positives from legitimate communications, health, messaging, or device-management apps.
- Confirm visibility gaps for personally owned devices, devices not routed through enterprise network controls, and Android versions or privacy settings that limit collection.
Mitigation priorities
- Maintain enforceable Android app governance: approved app sources, app inventory, risky-app review, and removal workflows.
- Restrict or require justification for high-risk permissions such as SMS, notification access, call logs, contacts, location, microphone, camera, and storage.
- Use mobile device management or equivalent controls to enforce baseline configuration and collect compliance evidence for audit and incident response.
- Reduce identity risk by avoiding SMS-only authentication where possible and monitoring for mobile conditions that could expose one-time codes or notifications.
- Route managed mobile traffic through monitored controls where feasible, and block or alert on cleartext exfiltration paths consistent with policy.
Analyst notes and limits
The supplied ATT&CK object identifies Corona Updates as Android spyware associated with Project Spy and cites Trend Micro reporting from April 2020. MITRE relationships provide a broad behavior set spanning discovery, collection, command-and-control over web protocols, SMS control, and exfiltration. The practical defensive value is to test whether mobile security controls can see and govern these behaviors across Android devices rather than to match only one malware name.
ATT&CK provides no official detection text, no aliases, no labels, and no tactics for this malware object in the supplied fields. The relationship descriptions are technique-level context and do not prove every behavior occurred in every variant or in a specific environment. Local app inventory, permission state, mobile telemetry, and network evidence are required before assessing exposure or confirming activity.
Corona Updates
Corona Updates is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1582 | SMS Control | Corona Updates can send SMS messages.CitationTrendMicro Coronavirus Updates |
| Mobile | T1636.002 | Call Log Sub-technique | Corona Updates can collect the device’s call log.CitationTrendMicro Coronavirus Updates |
| Mobile | T1517 | Access Notifications | Corona Updates can collect messages from GSM, WhatsApp, Telegram, Facebook, and Threema by reading the application’s notification content.CitationTrendMicro Coronavirus Updates |
| Mobile | T1430 | Location Tracking | Corona Updates can track the device’s location.CitationTrendMicro Coronavirus Updates |
| Mobile | T1533 | Data from Local System | Corona Updates can collect voice notes, device accounts, and gallery images.CitationTrendMicro Coronavirus Updates |
| Mobile | T1512 | Video Capture | Corona Updates can take pictures using the camera and can record MP4 files.CitationTrendMicro Coronavirus Updates |
| Mobile | T1636.003 | Contact List Sub-technique | Corona Updates can collect device contacts.CitationTrendMicro Coronavirus Updates |
| Mobile | T1636.004 | SMS Messages Sub-technique | Corona Updates can collect SMS messages.CitationTrendMicro Coronavirus Updates |
| Mobile | T1429 | Audio Capture | Corona Updates can record MP4 files and monitor calls.CitationTrendMicro Coronavirus Updates |
| Mobile | T1437.001 | Web Protocols Sub-technique | Corona Updates communicates with the C2 server using HTTP requests.CitationTrendMicro Coronavirus Updates |
| Mobile | T1422 | System Network Configuration Discovery | Corona Updates can collect device network configuration information, such as Wi-Fi SSID and IMSI.CitationTrendMicro Coronavirus Updates |
| Mobile | T1426 | System Information Discovery | Corona Updates can collect various pieces of device information, including OS version, phone model, and manufacturer.CitationTrendMicro Coronavirus Updates |
| Mobile | T1639.001 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | Corona Updates has exfiltrated data using FTP.CitationTrendMicro Coronavirus Updates |
| Mobile | T1422.001 | Internet Connection Discovery Sub-technique | Corona Updates can collect device network configuration information, such as Wi-Fi SSID and IMSI.CitationTrendMicro Coronavirus Updates |
| Mobile | T1422.002 | Wi-Fi Discovery Sub-technique | Corona Updates can collect device network configuration information, such as Wi-Fi SSID and IMSI.CitationTrendMicro Coronavirus Updates |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 9fc6f89699f2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TrendMicro Coronavirus Updates
T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.
Open source URL -
[2]
Concipit1248
(Citation: TrendMicro Coronavirus Updates)
-
[3]
Wabi Music
(Citation: TrendMicro Coronavirus Updates)
-
[4]
mitre-attack S0425Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.