S1056: TianySpy
Analyst context for executives and security teams
TianySpy is mobile malware documented by ATT&CK for Android and iOS, primarily spread through SMS phishing in a 2021 campaign and believed to have targeted credentials for major Japanese telecommunications membership websites. Its practical significance is not just the malware family itself, but the defensive pattern it represents: mobile phishing that can lead to credential capture, device discovery, obfuscated payloads, and possible data exfiltration. For organizations, this makes mobile identity protection, user reporting, mobile telemetry, and incident response playbooks important parts of credential-risk management.
Executive priority
Treat TianySpy as a reminder that mobile devices can be part of the credential attack surface, especially where employees use personal or managed phones to access telecom, identity, customer, or workforce services. Leaders should ask whether SMS-phishing response, mobile device governance, credential reset procedures, and audit evidence for mobile access controls are mature enough to support business continuity during a credential-theft incident. Priority should be based on local exposure to Android/iOS access, use of SMS-based workflows, and the organization’s ability to investigate suspicious mobile app, network, and authentication activity.
Technical view
ATT&CK does not provide a detection section for TianySpy, so SOC and IR teams should validate coverage around the related behaviors rather than assume malware-family-specific detections exist. The relationship context points to obfuscated files or information, GUI input capture, system and network configuration discovery, Internet and Wi-Fi discovery, command/script interpreter abuse, code-signing policy modification, and exfiltration over alternative protocols. For Android and iOS fleets, defenders should test whether mobile security tooling, MDM/UEM controls, network monitoring, phishing intake, and identity logs can connect a suspicious SMS lure to app installation or execution, credential prompts, device discovery, outbound traffic, and downstream account misuse.
Likely telemetry
- SMS phishing reports or messaging-security evidence where available
- Mobile device management / unified endpoint management inventory and compliance status
- Mobile threat defense or endpoint security alerts for suspicious apps, obfuscation, or policy changes
- Android and iOS app installation, signing, permission, and profile/configuration data where collected
- Network connection metadata from mobile devices, VPN, secure web gateway, DNS, or proxy logs
Detection direction
- Because official ATT&CK detection guidance is not provided, validate behavior-based detections mapped to the related techniques rather than relying only on a TianySpy signature.
- Tune for suspicious mobile phishing-to-credential workflows: SMS lure, app install or web prompt, credential entry, and subsequent authentication anomalies.
- Review whether mobile controls can surface unofficial or unexpected signing, profile, or policy changes relevant to code-signing policy modification.
- Correlate device discovery behaviors and outbound network activity with suspicious app presence; avoid over-alerting on normal OS or enterprise management activity that legitimately reads device or network configuration.
- Assess visibility gaps on personally owned devices, unmanaged mobile endpoints, encrypted mobile traffic, and iOS/Android privacy boundaries that may limit forensic detail.
Mitigation priorities
- Reduce SMS-phishing risk with user reporting paths, awareness focused on mobile credential prompts, and response procedures for reported lures.
- Strengthen mobile access governance through MDM/UEM enrollment where appropriate, app installation controls, device compliance checks, and restrictions on untrusted profiles or unsigned/unofficial apps where supported.
- Harden identity controls for mobile-accessible services with phishing-resistant authentication where feasible, conditional access, session monitoring, and rapid credential reset workflows.
- Prepare IR procedures for mobile credential-theft scenarios, including device triage, account containment, token/session revocation, and evidence preservation within legal and privacy constraints.
- Prioritize telemetry integration between mobile management, mobile threat defense, network security, and identity platforms so analysts can reconstruct the sequence of events.
Analyst notes and limits
The supplied ATT&CK object identifies TianySpy as mobile malware on Android and iOS, cites a Trend Micro report, and states that it was primarily spread by SMS phishing during September 30 to October 12, 2021. It also states the malware is believed to have targeted credentials associated with membership websites of major Japanese telecommunications services. The most useful defensive value comes from the related ATT&CK techniques, which suggest areas to validate for mobile phishing, credential capture, discovery, obfuscation, interpreter use, signing-policy abuse, and exfiltration behaviors.
ATT&CK provides no official detection text, no tactics for this object in the supplied fields, and no aliases or labels. The relationship descriptions are technique-level context and should not be treated as proof of every behavior in every TianySpy incident. Local risk depends on mobile device ownership, telemetry availability, identity architecture, SMS exposure, and whether relevant Japanese telecommunications credential workflows matter to the organization.
TianySpy
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1632.001 | Code Signing Policy Modification Sub-technique | TianySpy can install malicious configurations on iPhones to allow malware to be installed via Ad Hoc distribution.Citationtrendmicro_tianyspy_0122 |
| Mobile | T1417.002 | GUI Input Capture Sub-technique | TianySpy can utilize WebViews to display fake authentication pages that capture user credentials.Citationtrendmicro_tianyspy_0122 |
| Mobile | T1406 | Obfuscated Files or Information | TianySpy has encrypted C2 details, email addresses, and passwords.Citationtrendmicro_tianyspy_0122 |
| Mobile | T1426 | System Information Discovery | TianySpy can gather device UDIDs.Citationtrendmicro_tianyspy_0122 |
| Mobile | T1422.001 | Internet Connection Discovery Sub-technique | TianySpy can check to see if WiFi is enabled.Citationtrendmicro_tianyspy_0122 |
| Mobile | T1639 | Exfiltration Over Alternative Protocol | TianySpy can exfiltrate collected user data, including credentials and authorized cookies, via email.Citationtrendmicro_tianyspy_0122 |
| Mobile | T1623 | Command and Scripting Interpreter | TianySpy can steal information via malicious JavaScript.Citationtrendmicro_tianyspy_0122 |
| Mobile | T1422 | System Network Configuration Discovery | TianySpy can check to see if Wi-Fi is enabled.Citationtrendmicro_tianyspy_0122 |
| Mobile | T1422.002 | Wi-Fi Discovery Sub-technique | TianySpy can check to see if Wi-Fi is enabled.Citationtrendmicro_tianyspy_0122 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 44782e7f80ad… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
trendmicro_tianyspy_0122
Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.
Open source URL -
[2]
mitre-attack S1056Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.