S1079: BOULDSPY
Analyst context for executives and security teams
BOULDSPY is an Android malware entry in ATT&CK with surveillance, remote-control, collection, C2, and exfiltration behaviors. For leaders, the material issue is not just one malware family; it is whether the organization can see and govern mobile devices that may hold messages, contacts, location, audio/video, screenshots, credentials, and business communications.
Executive priority
Prioritize BOULDSPY as a mobile security readiness test, especially for executives, high-risk staff, regulated communications, and personnel whose location or communications create safety concerns. The ATT&CK relationships point to broad data collection and exfiltration over C2, so decision-makers should ask whether MDM/EMM, mobile threat defense, identity controls, and incident response processes can prove what apps are installed, what permissions are granted, and what data may have been exposed from Android devices.
Technical view
ATT&CK lists BOULDSPY for Android and maps it to techniques including persistence via boot/logon or event-triggered execution, runtime code download, application/data discovery, clipboard and keylogging-related collection, audio/video/screen capture, location tracking, call log/contact/SMS collection, local data collection, archiving, web-protocol C2, out-of-band data, and exfiltration over the C2 channel. Because the object provides no official detection text and no tactics, SOC and IR teams should validate coverage from the related techniques rather than relying on a single malware signature.
Likely telemetry
- MDM/EMM inventory of Android devices, installed applications, app versions, and sideloaded or unmanaged apps
- APK metadata, requested permissions, manifest entries, boot/event receivers, and indicators of dynamic code loading
- Mobile threat defense or endpoint telemetry for suspicious app behavior, rooting indicators, app modification, and persistence attempts
- Android permission use for microphone, camera, location, contacts, SMS, call logs, storage, clipboard, accessibility/keyboard-like behavior, and screen capture consent/use
- Network telemetry for mobile web-protocol communications, DNS/proxy/VPN logs where available, and unusual recurring connections from mobile devices
Detection direction
- Treat the absence of official ATT&CK detection guidance as a coverage gap to validate locally, not as evidence that the behavior is undetectable.
- Hunt for combinations of high-risk permissions and behaviors: persistence mechanisms, runtime code retrieval, sensitive content-provider access, capture APIs, location access, and outbound web communications.
- Tune detections around behavioral clusters rather than single permissions, because legitimate apps may request microphone, camera, contacts, SMS, location, or accessibility-related access.
- Review mobile app vetting for runtime code download, since this can reduce the value of static pre-publication or one-time APK analysis.
- Validate whether BYOD, personal messaging apps, and devices outside MDM/EMM enrollment are blind spots for app inventory, permissions, and network visibility.
Mitigation priorities
- Maintain authoritative Android device and application inventory through MDM/EMM or equivalent governance.
- Restrict unmanaged app installation and sideloading where business policy allows; require review of high-risk permissions for sensitive users and roles.
- Use mobile app vetting and mobile threat detection focused on dynamic code loading, suspicious persistence, sensitive data access, and C2-like network behavior.
- Enforce least-privilege mobile permissions and user prompts for microphone, camera, location, contacts, SMS, call logs, clipboard, and screen capture access.
- Keep Android devices patched and monitor for rooted or otherwise weakened device posture, since several related techniques become more powerful when OS protections are bypassed.
Analyst notes and limits
The official ATT&CK description states BOULDSPY was detected in early 2023, has surveillance and remote-control capabilities, and that analysis of exfiltrated C2 data suggests primary targeting of minority groups in Iran. The relationship set is the main source of defensive value here because it shows the breadth of Android behaviors defenders should test against their mobile security architecture.
ATT&CK provides no official detection text, no listed tactics, no aliases, and only Android as the platform for this malware object. This take does not assert active exploitation, customer exposure, attribution, or guaranteed detection. Local device enrollment, legal/privacy constraints, telemetry availability, and mobile architecture will determine practical coverage.
BOULDSPY
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1409 | Stored Application Data | BOULDSPY can retrieve account information for third party services, such as Google, Telegram, WeChat, or WhatsApp.Citationlookout_bouldspy_0423 |
| Mobile | T1532 | Archive Collected Data | BOULDSPY can encrypt its data before exfiltration.Citationlookout_bouldspy_0423 |
| Mobile | T1407 | Download New Code at Runtime | BOULDSPY can download and run code obtained from the C2.Citationlookout_bouldspy_0423 |
| Mobile | T1429 | Audio Capture | BOULDSPY can access a device’s microphone to record audio, as well as cell and VoIP application calls.Citationlookout_bouldspy_0423 |
| Mobile | T1636.003 | Contact List Sub-technique | BOULDSPY can exfiltrate a device’s contacts.Citationlookout_bouldspy_0423 |
| Mobile | T1422.002 | Wi-Fi Discovery Sub-technique | BOULDSPY can collect network information, such as IP address, SIM card information, and Wi-Fi information.Citationlookout_bouldspy_0423 |
| Mobile | T1414 | Clipboard Data | BOULDSPY can collect clipboard data.Citationlookout_bouldspy_0423 |
| Mobile | T1422 | System Network Configuration Discovery | BOULDSPY can collect network information, such as IP address, SIM card information, and Wi-Fi information.Citationlookout_bouldspy_0423 |
| Mobile | T1646 | Exfiltration Over C2 Channel | BOULDSPY has exfiltrated cached data from infected devices.Citationlookout_bouldspy_0423 |
| Mobile | T1513 | Screen Capture | BOULDSPY can take and exfiltrate screenshots.Citationlookout_bouldspy_0423 |
| Mobile | T1437.001 | Web Protocols Sub-technique | BOULDSPY uses unencrypted HTTP traffic between the victim and C2 infrastructure.Citationlookout_bouldspy_0423 |
| Mobile | T1533 | Data from Local System | BOULDSPY can access browser history and bookmarks, and can list all files and folders on the device.Citationlookout_bouldspy_0423 |
| Mobile | T1426 | System Information Discovery | BOULDSPY can collect system information, such as Android version and device identifiers.Citationlookout_bouldspy_0423 |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | BOULDSPY has been installed using the package name `com.android.callservice`, pretending to be an Android system service.Citationlookout_bouldspy_0423 |
| Mobile | T1644 | Out of Band Data | BOULDSPY can use SMS to send C2 commands.Citationlookout_bouldspy_0423 |
| Mobile | T1636.002 | Call Log Sub-technique | BOULDSPY can access device call logs.Citationlookout_bouldspy_0423 |
| Mobile | T1512 | Video Capture | BOULDSPY can take photos using the device cameras.Citationlookout_bouldspy_0423 |
| Mobile | T1417.001 | Keylogging Sub-technique | BOULDSPY can capture keystrokes.Citationlookout_bouldspy_0423 |
| Mobile | T1577 | Compromise Application Executable | BOULDSPY can inject malicious packages into applications already existing on an infected device.Citationlookout_bouldspy_0423 |
| Mobile | T1636.004 | SMS Messages Sub-technique | BOULDSPY can exfiltrate SMS logs.Citationlookout_bouldspy_0423 |
| Mobile | T1418 | Software Discovery | BOULDSPY can retrieve the list of installed applications.Citationlookout_bouldspy_0423 |
| Mobile | T1422.001 | Internet Connection Discovery Sub-technique | BOULDSPY can collect network information, such as IP address, SIM card information, and Wi-Fi information.Citationlookout_bouldspy_0423 |
| Mobile | T1398 | Boot or Logon Initialization Scripts | BOULDSPY can exfiltrate data when the user boots the app, or on device boot.Citationlookout_bouldspy_0423 |
| Mobile | T1624 | Event Triggered Execution | BOULDSPY uses a background service that can restart itself when the parent activity is stopped.Citationlookout_bouldspy_0423 |
| Mobile | T1430 | Location Tracking | BOULDSPY can get a device’s location using GPS or network.Citationlookout_bouldspy_0423 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | eadac39a124f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
lookout_bouldspy_0423
Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.
Open source URL -
[2]
mitre-attack S1079Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.