1. Home
  2. Software
  3. BOULDSPY

BOULDSPY

BOULDSPY is an Android malware, detected in early 2023, with surveillance and remote-control capabilities. Analysis of exfiltrated C2 data suggests that BOULDSPY primarily targeted minority groups in Iran.[1]

ID: S1079
Type: MALWARE
Platforms: Android
Contributors: Gunji Satoshi, NEC Corporation; Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India; Phyo Paing Htun (ChiLai), I-Secure Co.,Ltd
Version: 1.0
Created: 21 July 2023
Last Modified: 20 October 2023
Mobile Layer
download view

Techniques Used

Domain ID Name Use
Mobile T1437 .001 Application Layer Protocol: Web Protocols

BOULDSPY uses unencrypted HTTP traffic between the victim and C2 infrastructure.[1]
Mobile T1532 Archive Collected Data

BOULDSPY can encrypt its data before exfiltration.[1]
Mobile T1429 Audio Capture

BOULDSPY can access a device’s microphone to record audio, as well as cell and VoIP application calls.[1]
Mobile T1398 Boot or Logon Initialization Scripts

BOULDSPY can exfiltrate data when the user boots the app, or on device boot.[1]
Mobile T1414 Clipboard Data

BOULDSPY can collect clipboard data.[1]
Mobile T1577 Compromise Application Executable

BOULDSPY can inject malicious packages into applications already existing on an infected device.[1]
Mobile T1533 Data from Local System

BOULDSPY can access browser history and bookmarks, and can list all files and folders on the device.[1]
Mobile T1407 Download New Code at Runtime

BOULDSPY can download and run code obtained from the C2.[1]
Mobile T1624 Event Triggered Execution

BOULDSPY uses a background service that can restart itself when the parent activity is stopped.[1]

Mobile T1646 Exfiltration Over C2 Channel

BOULDSPY has exfiltrated cached data from infected devices.[1]
Mobile T1417 .001 Input Capture: Keylogging

BOULDSPY can capture keystrokes.[1]
Mobile T1430 Location Tracking

BOULDSPY can get a device’s location using GPS or network.[1]
Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

BOULDSPY has been installed using the package name com.android.callservice, pretending to be an Android system service.[1]
Mobile T1644 Out of Band Data

BOULDSPY can use SMS to send C2 commands.[1]
Mobile T1636 .002 Protected User Data: Call Log

BOULDSPY can access device call logs.[1]
.003 Protected User Data: Contact List

BOULDSPY can exfiltrate a device’s contacts.[1]
.004 Protected User Data: SMS Messages

BOULDSPY can exfiltrate SMS logs.[1]
Mobile T1513 Screen Capture

BOULDSPY can take and exfiltrate screenshots.[1]
Mobile T1418 Software Discovery

BOULDSPY can retrieve the list of installed applications.[1]
Mobile T1409 Stored Application Data

BOULDSPY can retrieve account information for third party services, such as Google, Telegram, WeChat, or WhatsApp.[1]
Mobile T1426 System Information Discovery

BOULDSPY can collect system information, such as Android version and device identifiers.[1]
Mobile T1422 System Network Configuration Discovery

BOULDSPY can collect network information, such as IP address, SIM card info, and Wi-Fi info.[1]
.001 Internet Connection Discovery

BOULDSPY can collect network information, such as IP address, SIM card info, and Wi-Fi info.[1]
.002 Wi-Fi Discovery

BOULDSPY can collect network information, such as IP address, SIM card info, and Wi-Fi info.[1]
Mobile T1512 Video Capture

BOULDSPY can take photos using the device cameras.[1]

References

  1. Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.