{"description": "Mobile techniques used by FlexiSpy, ATT&CK software S0408 (v1.0)", "name": "FlexiSpy (S0408)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1429", "comment": "[FlexiSpy](https://attack.mitre.org/software/S0408) can record both incoming and outgoing phone calls, as well as microphone audio.(Citation: CyberMerchants-FlexiSpy)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1533", "comment": "[FlexiSpy](https://attack.mitre.org/software/S0408) can monitor device photos and can also access browser history and bookmarks.(Citation: FlexiSpy-Features)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1624", "showSubtechniques": true}, {"techniqueID": "T1624.001", "comment": "[FlexiSpy](https://attack.mitre.org/software/S0408) uses root access to establish reboot hooks to re-install the application from `/data/misc/adn`.(Citation: FortiGuard-FlexiSpy) At boot, [FlexiSpy](https://attack.mitre.org/software/S0408) spawns daemons for process monitoring, call monitoring, call managing, and system.(Citation: FortiGuard-FlexiSpy)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1628", "showSubtechniques": true}, {"techniqueID": "T1628.001", "comment": "[FlexiSpy](https://attack.mitre.org/software/S0408) is capable of hiding SuperSU's icon if it is installed and visible.(Citation: FortiGuard-FlexiSpy) [FlexiSpy](https://attack.mitre.org/software/S0408) can also hide its own icon to make detection and the uninstallation process more difficult.(Citation: FlexiSpy-Features)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1625", "showSubtechniques": true}, {"techniqueID": "T1625.001", "comment": "[FlexiSpy](https://attack.mitre.org/software/S0408) installs boot hooks into `/system/su.d`.(Citation: FortiGuard-FlexiSpy)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1630", "showSubtechniques": true}, {"techniqueID": "T1630.002", "comment": "[FlexiSpy](https://attack.mitre.org/software/S0408) can delete data from a compromised device.(Citation: CyberMerchants-FlexiSpy)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1417", "showSubtechniques": true}, {"techniqueID": "T1417.001", "comment": "[FlexiSpy](https://attack.mitre.org/software/S0408) can record keystrokes and analyze them for keywords.(Citation: FlexiSpy-Features)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1430", "comment": " [FlexiSpy](https://attack.mitre.org/software/S0408) can track the device's location.(Citation: CyberMerchants-FlexiSpy)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1509", "comment": "[FlexiSpy](https://attack.mitre.org/software/S0408) can communicate with the command and control server over ports 12512 and 12514.(Citation: FortiGuard-FlexiSpy)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1406", "comment": "[FlexiSpy](https://attack.mitre.org/software/S0408) encrypts its configuration file using AES.(Citation: FortiGuard-FlexiSpy)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.001", "comment": "[FlexiSpy](https://attack.mitre.org/software/S0408) can collect the device calendars.(Citation: CyberMerchants-FlexiSpy)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.003", "comment": "[FlexiSpy](https://attack.mitre.org/software/S0408) can collect device contacts.(Citation: CyberMerchants-FlexiSpy)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "[FlexiSpy](https://attack.mitre.org/software/S0408) can intercept SMS and MMS messages as well as monitor messages for keywords.(Citation: CyberMerchants-FlexiSpy)(Citation: FlexiSpy-Features)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1513", "comment": " [FlexiSpy](https://attack.mitre.org/software/S0408) can take screenshots of other applications.(Citation: FlexiSpy-Features) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1418", "comment": " [FlexiSpy](https://attack.mitre.org/software/S0408) can retrieve a list of installed applications.(Citation: FlexiSpy-Features) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1409", "comment": "[FlexiSpy](https://attack.mitre.org/software/S0408) uses a `FileObserver` object to monitor the Skype and WeChat database file and shared preferences to retrieve chat messages, account information, and profile pictures of the account owner and chat participants. [FlexiSpy](https://attack.mitre.org/software/S0408) can also spy on popular applications, including Facebook, Hangouts, Hike, Instagram, Kik, Line, QQ, Snapchat, Telegram, Tinder, Viber, and WhatsApp.(Citation: FortiGuard-FlexiSpy)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1421", "comment": "[FlexiSpy](https://attack.mitre.org/software/S0408) can collect a list of known Wi-Fi access points.(Citation: FlexiSpy-Features) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1512", "comment": "[FlexiSpy](https://attack.mitre.org/software/S0408) can record video.(Citation: CyberMerchants-FlexiSpy)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by FlexiSpy", "color": "#66b1ff"}]}