S0426: Concipit1248

Concipit1248 is iOS spyware that was discovered using the same name as the developer of the Android spyware Corona Updates. Further investigation revealed that the two pieces of software contained the same C2 URL and similar functionality.[1]

MobileS0426MalwareObject v1.0 Modified Apr 25, 2025, 14:40 UTC (UTC+00:00)

Concipit1248 matters because it represents iOS spyware with reported overlap in command-and-control infrastructure and functionality with the Android spyware Corona Updates. For leaders, the practical issue is not just one named malware family, but whether mobile security, incident response, and evidence collection can handle spyware that uses normal web protocols, accesses local device data, and may use device cameras for surveillance.

Executive priority

Treat this as a mobile spyware readiness use case for iOS environments. Priority questions are: which business roles use iOS devices to access sensitive data, what telemetry is available if spyware is suspected, and whether mobile device management, app governance, network monitoring, and incident response processes can produce audit-ready evidence. The ATT&CK record does not provide impact, prevalence, or active exploitation claims, so prioritization should be based on local exposure to managed or unmanaged iOS devices and sensitivity of data accessible from them.

Technical view

SOC and IR teams should validate coverage around the related behaviors: T1437.001 Web Protocols for C2-like communications over HTTP/HTTPS, T1512 Video Capture through device camera access, and T1533 Data from Local System involving access to files, local databases, photos, tokens, Wi-Fi passwords, keyboard cache, or similar local data where observable. Because ATT&CK provides no detection text for this malware, teams should map available iOS controls and telemetry to these behaviors rather than rely on a malware-specific analytic.

Likely telemetry

Mobile device management inventory and compliance state for iOS devices
Installed application inventory and app provenance where available
Network proxy, DNS, firewall, or secure web gateway logs showing mobile HTTP/HTTPS destinations
Mobile threat defense or endpoint security alerts, if deployed for iOS
Application permission state or privacy prompts related to camera and local data access where available

Detection direction

Validate whether iOS mobile traffic can be associated with device identity, user identity, application context, and destination; encrypted web traffic without device/app context is a likely blind spot.
Look for unusual or unauthorized applications communicating to external web infrastructure, especially when paired with sensitive permissions or suspicious app provenance.
Tune carefully for false positives: HTTP/HTTPS is normal mobile traffic, and camera or local data access can be legitimate for business apps.
Use the relationship context to build behavior-based hypotheses around web-protocol C2, camera access, and local data collection rather than treating the malware name alone as the detection anchor.
Confirm whether unmanaged or personally owned iOS devices are outside telemetry scope, since that gap can materially limit investigation and compliance evidence.

Mitigation priorities

Prioritize mobile device inventory and ownership clarity so responders know which iOS devices are managed, monitored, and eligible for collection.
Enforce app governance appropriate to the environment, including restrictions on untrusted applications and review of apps requesting sensitive permissions.
Use mobile device management and mobile security controls to monitor compliance state, configuration profiles, and risky application presence where supported.
Strengthen network-layer visibility for managed mobile devices, especially DNS and web-protocol logging tied to user and device identity.
Prepare incident response procedures for suspected mobile spyware, including legal/privacy approvals, preservation steps, and escalation paths for executives or high-risk users.

Analyst notes and limits

The ATT&CK object identifies Concipit1248 as iOS spyware discovered in connection with the same developer name used by Android spyware Corona Updates, with the same C2 URL and similar functionality reported by the cited Trend Micro source. The supplied relationships indicate use of Web Protocols, Video Capture, and Data from Local System. No ATT&CK tactics are specified for this object.

Official detection guidance is not provided, and the supplied fields do not establish active exploitation, attribution, victimology, impact, or guaranteed observability. Local conclusions require environment-specific evidence such as mobile management scope, application inventory, network logs, and device collection feasibility.

Official MITRE ATT&CK definition

Concipit1248

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 3 rows

Domain	ID	Name	Relationship / procedure
Mobile	T1437.001	Web Protocols Sub-technique	Concipit1248 communicates with the C2 server using HTTP requests.CitationTrendMicro Coronavirus Updates
Mobile	T1512	Video Capture	Concipit1248 requests permissions to use the device camera.CitationTrendMicro Coronavirus Updates
Mobile	T1533	Data from Local System	Concipit1248 can collect device photos.CitationTrendMicro Coronavirus Updates

Relationship explorer

All related ATT&CK context

uses · Technique T1437.001: Web Protocols Mobile uses · Technique T1512: Video Capture Mobile uses · Technique T1533: Data from Local System Mobile

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Apr 24, 2020, 15:12 UTC (UTC+00:00)
Modified: Apr 25, 2025, 14:40 UTC (UTC+00:00)
Raw hash: d1ffd9c2c2e078da...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Apr 25, 2025, 14:40 UTC (UTC+00:00)	Current bundle	`d1ffd9c2c2e0…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
TrendMicro Coronavirus Updates

T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.
Open source URL
[2]
Corona Updates

(Citation: TrendMicro Coronavirus Updates)
[3]
mitre-attack S0426
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use