S0509: FakeSpy
Analyst context for executives and security teams
FakeSpy is an Android spyware entry in ATT&CK for Mobile. Its significance is less about one named malware family and more about the mobile behaviors ATT&CK associates with it: hiding or masquerading, collecting contacts and SMS messages, discovering device and network details, checking connectivity, using web protocols, and persisting through Android broadcast receivers. For leaders, this is a reminder that unmanaged or weakly governed Android devices can become an identity, privacy, fraud, and incident-response problem even when traditional endpoint controls look healthy.
Executive priority
Prioritize validation of mobile device governance where Android devices handle business communications, SMS-based workflows, contacts, or access to cloud and identity services. The ATT&CK record provides no official detection text, so executives should ask whether the organization can prove mobile app inventory, permission visibility, network telemetry, and incident response procedures for suspicious Android apps. This behavior is relevant to business continuity and compliance evidence because contact and SMS access can affect sensitive communications, account recovery processes, and investigation timelines.
Technical view
SOC, detection, and IR teams should treat FakeSpy as an Android-focused reference case for spyware tradecraft. ATT&CK relationships indicate use of obfuscation, stored application data access, software discovery, network connection and configuration discovery, internet connectivity checks, system information discovery, web protocol communications, SMS control, broadcast receiver persistence, suppressed launcher icon behavior, system checks, contact and SMS collection, and legitimate-name/location masquerading. Because no official detection guidance is provided, teams should validate coverage against these related techniques rather than relying on a FakeSpy-specific signature.
Likely telemetry
- Android mobile device management or enterprise mobility management inventory, including installed applications, package names, versions, and app visibility state
- Android app permission grants, especially SMS, contacts, network state, and broadcast receiver-related behavior where available
- Mobile threat defense or application reputation alerts for obfuscated, masquerading, or hidden-icon applications
- Device network telemetry showing HTTP/HTTPS communications from suspicious or newly installed Android apps
- DNS, proxy, firewall, or secure web gateway logs for mobile device traffic where collected
Detection direction
- Map detections to the related ATT&CK techniques, especially T1582 SMS Control, T1624.001 Broadcast Receivers, T1628.001 Suppress Application Icon, T1636.003 Contact List, and T1636.004 SMS Messages.
- Look for combinations of risk indicators rather than single events: a newly installed Android app that masquerades as a trusted service, requests SMS or contacts access, hides its icon, registers event receivers, and communicates over web protocols is higher priority than any one behavior alone.
- Tune for false positives from legitimate messaging, device management, carrier, and productivity apps that may use SMS, contacts, broadcast receivers, or web protocols for valid reasons.
- Validate whether app inventory tools expose suppressed icons, misleading package names, and applications installed outside approved channels; these are common blind spots for mobile investigations.
- Because ATT&CK provides no official detection text for FakeSpy, document local analytic assumptions and test them with approved benign samples or controlled mobile telemetry rather than claiming signature-level coverage.
Mitigation priorities
- Enforce managed Android enrollment and maintain an authoritative app inventory for business-accessing devices.
- Restrict or review high-risk permissions such as SMS and contacts access, especially for apps that do not have a clear business need.
- Use approved app distribution and application reputation controls to reduce exposure to masquerading or obfuscated applications.
- Ensure mobile network traffic from managed devices is visible enough to support investigation of suspicious web-protocol communications.
- Prepare IR playbooks for Android spyware cases, including device isolation, app removal, credential review, SMS/account-recovery risk assessment, and preservation of relevant mobile artifacts.
Analyst notes and limits
The ATT&CK object identifies FakeSpy as Android spyware operated by the Chinese threat actor behind Roaming Mantis campaigns, citing Cybereason reporting. The supplied relationship context gives the strongest defensive value: it outlines the mobile behaviors defenders should validate across Android telemetry and controls. No tactics are specified in the supplied object, and no official ATT&CK detection text is provided.
This take is limited to the supplied ATT&CK STIX fields, external references, and relationships. It does not assert current activity, customer exposure, indicators of compromise, infrastructure, or guaranteed detectability. Local device management coverage, legal constraints around SMS data, mobile network visibility, and approved app baselines are required to determine real risk and coverage.
FakeSpy
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1422 | System Network Configuration Discovery | FakeSpy can collect device networking information, including phone number, IMEI, and IMSI.CitationCybereason FakeSpy |
| Mobile | T1409 | Stored Application Data | FakeSpy can collect account information stored on the device, as well as data in external storage.CitationCybereason FakeSpy |
| Mobile | T1422.001 | Internet Connection Discovery Sub-technique | FakeSpy can collect device networking information, including phone number, IMEI, and IMSI.CitationCybereason FakeSpy |
| Mobile | T1624.001 | Broadcast Receivers Sub-technique | FakeSpy can register for the `BOOT_COMPLETED` broadcast Intent.CitationCybereason FakeSpy |
| Mobile | T1418 | Software Discovery | FakeSpy can collect a list of installed applications.CitationCybereason FakeSpy |
| Mobile | T1628.001 | Suppress Application Icon Sub-technique | FakeSpy can hide its icon if it detects that it is being run on an emulator.CitationCybereason FakeSpy |
| Mobile | T1633.001 | System Checks Sub-technique | FakeSpy can detect if it is running in an emulator and adjust its behavior accordingly.CitationCybereason FakeSpy |
| Mobile | T1406 | Obfuscated Files or Information | |
| Mobile | T1426 | System Information Discovery | FakeSpy can collect device information, including OS version and device model.CitationCybereason FakeSpy |
| Mobile | T1582 | SMS Control | FakeSpy can send SMS messages.CitationCybereason FakeSpy |
| Mobile | T1636.004 | SMS Messages Sub-technique | FakeSpy can collect SMS messages.CitationCybereason FakeSpy |
| Mobile | T1421 | System Network Connections Discovery | FakeSpy can collect the device’s network information.CitationCybereason FakeSpy |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | FakeSpy masquerades as local postal service applications.CitationCybereason FakeSpy |
| Mobile | T1636.003 | Contact List Sub-technique | FakeSpy can collect the device’s contact list.CitationCybereason FakeSpy |
| Mobile | T1437.001 | Web Protocols Sub-technique | FakeSpy exfiltrates data using HTTP requests.CitationCybereason FakeSpy |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 947f0e5ca6dd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cybereason FakeSpy
O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.
Open source URL -
[2]
mitre-attack S0509Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.