S1214: Android/SpyAgent
Android/SpyAgent is a variant of spyware in the MoqHao phishing campaign primarily targeting Korean and Japanese users.[1] Fake security applications were used to target Japanese users, while fake police applications were used to target Korean users. Both fake applications have common C2 commands and share the same crash report key on a cloud service.[1]
Analyst context for executives and security teams
Android/SpyAgent matters because it represents mobile spyware delivered as fake trusted applications in a phishing campaign, with reported targeting of Korean and Japanese users. For leaders, the practical issue is not just one malware family: it highlights whether the organization can govern Android app installation, spot risky permissions, and respond when mobile devices become a path to SMS, call, network, and command-and-control activity.
Executive priority
Prioritize this as a mobile security and incident-readiness validation item where Android devices are used for business, authentication, executive communications, or regulated workflows. The object has no ATT&CK detection guidance, so assurance should come from proving that MDM/mobile threat defense, app inventory, permission governance, network monitoring, and mobile IR procedures can produce evidence quickly enough for containment and audit needs.
Technical view
SOC and IR teams should validate coverage against the related Android behaviors: obfuscated files or payloads, discovery of network configuration, use of legitimate web services or dead-drop resolvers for C2 direction, call control, disabling or modifying security tools, SMS collection, and masquerading with legitimate-looking app names/icons/locations. Because ATT&CK lists no tactics and provides no detection text, detection engineering should be built from local Android telemetry, app metadata, permissions, and network behavior rather than assuming a standard analytic exists.
Likely telemetry
- Android application inventory, package names, app labels, icons, install source, signing/certificate metadata, and version history
- MDM or mobile threat defense alerts for suspicious apps, device administrator abuse, rooting/jailbreak indicators, or security tool tampering
- Android permission grants and runtime use related to SMS, calls, phone state, network state, and device administration
- Network, DNS, proxy, or secure web gateway logs showing mobile device communication with external web services or cloud-hosted resources
- Static and dynamic APK analysis results, including obfuscation, encoded configuration, embedded URLs, and C2 command indicators
Detection direction
- Hunt for Android apps that mimic trusted security, police, system, or other legitimate applications, especially when their requested permissions are inconsistent with business purpose.
- Correlate suspicious app installs with outbound connections to common web services or cloud-hosted resources, recognizing that legitimate services create high false-positive noise.
- Review apps requesting or using SMS and call-control permissions, and separate expected business applications from newly installed, low-reputation, or user-acquired apps.
- Validate whether mobile security tooling can still report when device administrator permissions, rooting, or tool-disabling behavior is present.
- Use APK analysis to identify obfuscation and encoded configuration, but treat obfuscation as a risk signal rather than proof of malware by itself.
Mitigation priorities
- Enforce Android device management for business access, including app inventory, policy compliance, and rapid quarantine or access revocation workflows.
- Restrict installation to approved sources and consider allowlisting or risk-based approval for sensitive user groups.
- Limit high-risk permissions such as SMS, call control, and device administrator privileges to applications with a validated business need.
- Maintain mobile phishing awareness focused on fake trusted applications and social engineering, especially for users in regions or roles matching organizational risk.
- Harden mobile endpoints against rooting and security-tool tampering, and ensure MDM/mobile security controls generate auditable enforcement logs.
Analyst notes and limits
The ATT&CK object identifies Android/SpyAgent as spyware associated with the MoqHao phishing campaign and fake security or police applications, with common C2 commands and a shared crash-report key on a cloud service. The relationship set is useful for defensive scoping because it connects the malware to SMS access, call control, masquerading, web-service C2, dead-drop resolution, obfuscation, network discovery, and disabling or modifying tools.
Official ATT&CK detection guidance is not provided, tactics are not specified, and the supplied fields do not support claims about current exploitation, attribution beyond the cited campaign context, enterprise exposure, or guaranteed detection. Local device ownership model, Android management coverage, legal access to SMS/call data, and network visibility will determine practical confidence.
Android/SpyAgent
Android/SpyAgent is a variant of spyware in the MoqHao phishing campaign primarily targeting Korean and Japanese users.[1] Fake security applications were used to target Japanese users, while fake police applications were used to target Korean users. Both fake applications have common C2 commands and share the same crash report key on a cloud service.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1629.003 | Disable or Modify Tools Sub-technique | Android/SpyAgent has attempted to detect anti-spam call applications.CitationMcAfee MoqHao 2019 |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | Android/SpyAgent has used the official icon of the Korean police application and the package name “kpo,” which contain references related to the Korean police.CitationMcAfee MoqHao 2019 |
| Mobile | T1481 | Web Service | Android/SpyAgent’s payload has obtained the C2 address via Twitter accounts.CitationMcAfee MoqHao 2019 |
| Mobile | T1636.004 | SMS Messages Sub-technique | Android/SpyAgent has exfiltrated SMS and MMS messages.CitationMcAfee MoqHao 2019 |
| Mobile | T1616 | Call Control | Android/SpyAgent can execute an automated phone call.CitationMcAfee MoqHao 2019 |
| Mobile | T1481.001 | Dead Drop Resolver Sub-technique | Android/SpyAgent has used the Tencent Push Notification Service to receive commands from the C2 server.CitationMcAfee MoqHao 2019 |
| Mobile | T1422 | System Network Configuration Discovery | Android/SpyAgent has collected device network information, such as the IMEI and the phone number.CitationMcAfee MoqHao 2019 |
| Mobile | T1406 | Obfuscated Files or Information | Android/SpyAgent has used the Tencent packer to hide its malicious payload.CitationMcAfee MoqHao 2019 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6e587771342a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
McAfee MoqHao 2019
Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.
Open source URL -
[2]
mitre-attack S1214Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.