truthspy | 92c3337b3d74f2aab8f0ca3a6f045719a3301519810d535856ff11dd743b523c

Analysis

max time kernel
17s
max time network
131s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
26-10-2024 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92c3337b3d74f2aab8f0ca3a6f045719a3301519810d535856ff11dd743b523c.apk
Size

3.6MB
MD5

0366ae0abf0ada8aed90322bfe07dfd5
SHA1

2f0779ce64f02944e87674745cb446c5bc620607
SHA256

92c3337b3d74f2aab8f0ca3a6f045719a3301519810d535856ff11dd743b523c
SHA512

52f50f2f847628b1fb498784660050a6f189d8c7cc520c0d3a06ca28cc35ee4961d0a3daca71a540e263ab930ab629b884c3ff187d4abcd8f58549fdf87f9677
SSDEEP

98304:mD/SWbGiowrvH6Odp/9hBbW+te6lXhAyHtu:mWWbGjuvl9jS+oSc

Score

10^/10

truthspy banker collection credential_access discovery evasion impact infostealer persistence spyware trojan

Malware Config

Extracted

Family

truthspy

http://protocol-a100.phoneparental.com/protocols

Signatures

Truthspy
Truthspy is an Android stalkerware.
trojan infostealer spyware truthspy
Truthspy family
truthspy

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.systemservice

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.systemservice

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
collection credential_access impact

Clipboard Data
T1414

Transmitted Data Manipulation
T1641.001

Processes:

com.systemservice

description ioc process

Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.systemservice
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Acquires the wake lock 1 IoCs

Processes:

com.systemservice

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.systemservice
Queries information about active data network 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.systemservice

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.systemservice
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.systemservice

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.systemservice
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.systemservice

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.systemservice

description	ioc	process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.systemservice

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.systemservice

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.systemservice

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.systemservice

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.systemservice

com.systemservice
1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4259

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Input Injection

T1516

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.systemservice/databases/com.google.android.datatransport.events

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.systemservice/databases/com.google.android.datatransport.events-journal

Filesize
512B

MD5
4834fa859ce87b1a0d871f845b4ec14d

SHA1
3b88bf36e50152a9b365418a1651945c3c455650

SHA256
281e8e367862ac19eec960f19e7cfa266006a6cc52804bf9dfd49f5de326a227

SHA512
536639956c3f9e7a9a50259c8755ef7516639d4f3371e484545f67e5d27e862569db02fe2ed351928863fc8349b371060fc29b16168c8809672083301b2e1151

Download Submit
/data/data/com.systemservice/databases/com.google.android.datatransport.events-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.systemservice/databases/com.google.android.datatransport.events-wal

Filesize
68KB

MD5
6e8745fdf4ff162b3de7a6fbdd308d5a

SHA1
25dff957ab175c5f185585f84a9373c5cd3c4f6b

SHA256
09ab385b4764249f82143617ceb2e01df692c66516e0e1df48cbefb6d07da22c

SHA512
814b6ca4885c05b10f99aac37f4c8c2fe2726812f1a4361987870ad7806cfa29ea74da3b08481e14cf4340cf1a855234e3a842b74fc3e575a42d8e140705716b

Download Submit
/data/data/com.systemservice/databases/core.db

Filesize
36KB

MD5
045489a0639eee27bca52f48828cd93d

SHA1
436e7966e7c019273c44faa4d8c5709b816dfda3

SHA256
0151eae0eec786abb19ab59d7361b3291ae98411fae12cbbdfecd1612e16996e

SHA512
c8739a723a8648b0e380b946a97fb6cd83d6c4769ec3679bf4bc003ad0049ff5cccfc8f75a6ea272feced0020b13d3129f792f0f22cf442f0d0127f399eba22e

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
7237409e0640cfab7bdbd429bf821a3b

SHA1
4c3da934842f8d4835dfe2a9c275a300e5123309

SHA256
5c8e1b63d187efafe1e09bfadd83fd360176d689b57b5a0cc40e6854c12449fa

SHA512
c8afaf6a8ee43ce3601feff417bfaec563c01bcff0aae24577054034112b2020967f25b0b1a919c3c9e5e81d62a21a87e908b782c4d5cb8bba8ac259108e9c1f

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
37f6e2d8be37907885708e5ffda8978d

SHA1
602026468168120f7deb6991e21ab6b45d440fa7

SHA256
63755109e2804e2879ad49b1ac27b20cf867752b3844f77c6cd9cc19326a5783

SHA512
9fffd1614e0384bd342040aa58837d09a1bc38b40a829c2d0ac243c0eef3274b852efa478adde98859c409765769fa19f91f2a592a96e5fcbc77a6e5e21e3014

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
81026a7249092348ec097535c8e076dd

SHA1
30e3e7634e0af40ffd57fad0e3a7e45b1b89e2ca

SHA256
15d5983c8015f601080e48e21181cda6addc8415b341ff2305339ecc42b78cfd

SHA512
edbedb88f7dc0a07ec85345205114957e15f7b34458a8dc165002aecf1392ef2c2ea6836772cccb96ca9b38a2089d6e911a36da07c79f388f1070a72a0887c49

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
d986fb70138ff05dd269e282c033fb86

SHA1
1f4d20b6746edc18d51afbad6b23b8458a4dc6f9

SHA256
b3fe85def3bb1d0b1f4ab91af5dc71cb4de101ae0ba47be33e46fc0ea8bcefd0

SHA512
8ad6bf16e02d92bfa86156e3f9f08bd70bd1833dc4e31e20a7e49a03ece1b2c106fa7e5f355952c1c0d6b0990e391e4772041a7ae7aa3c36812f5d5f2e7c042d

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
8e543b08538a6019369f826b85571975

SHA1
424e2708b2ce09ccf8139b8ccb99a639f7a60b2a

SHA256
e9335197d6544d725657b67b83c32b34e8f6b640b1db3d3f5493af4041dd4bfb

SHA512
070063b77efd4496f65572adf34f0638b250248327735a5f229a4f1593f568d8cb2b54fbae2610c6be6cfffdecfd2e16f099e7e18f72f2ec5b52c3878be1d6b4

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
835cfc7decf507cdc5e54f602e3f9699

SHA1
4a55d424cb32e766554672cb2d0b3804fc47552f

SHA256
29257dbf2b37d226ace65bd68d001398801235d93ed830a35435bd4bab4de852

SHA512
2ab470c2200d97b545693a4cdc661100e46b0299f3d3890773681bc5f22f29eeda6b6a83a5c627fa22119726f3ce78d40021362a3f018a4f3afb4a08476c253d

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-journal

Filesize
512B

MD5
f7a74210bba5b4fa8a3581f1a2e4848e

SHA1
b5465363a70ef4c2f1e957bf372c8416137bd113

SHA256
2e5f9080fd93e8b27d2627148ebbbeef3e05221100784beacbdc6b46f8fb0b52

SHA512
bac958ab7f00697ee895792669bf8248b87a54fa4fe8d2a3c318afdfa344ac171304e899fa1751a442d306b31be1382fc7c9cf20c84c7feb2a5dbedd8f3518f1

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
36KB

MD5
3d77f5b68d68a52ee7651ba8ed884d2d

SHA1
41363e088e91b96cde7710caea15fdbe474495a3

SHA256
826e606b0049f916cac2900e6f299e6b92ccb20bc6b7ad31576104a6f13f8b10

SHA512
43c9a2f312023e5133ec85ada8fceb844b9615c83fc82b2e5bb07f14e72571e14557972e2860e79869fe43e0c5a2d0b2924f428ed7cd7af8d8ba47032821586f

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
d2db279d86ad4728a1c9901ef4c480a9

SHA1
22cd25d6cb9abfb7296e52e69735e76e03b38180

SHA256
40f393da6bb8268e8c96f76059259a7f83d4b2f7b07cabb9b587287f0b06c13a

SHA512
71c995de829710f1e290a05b01b4cd65db7a754a7e88301364981b65e0296b705f2ec1692045c4378f7d5da01fefb40e586471cf0c29621c84a2ce4ab95fdd97

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
bdd17c605d161c1ff04fc3fdb87293e2

SHA1
b01dd95181e59a14e6dccb3e4fe93a8fa7d48b6a

SHA256
12542be252e491158b9da34aec47fd841e817bf9946724326c15ddd6c0ebd13b

SHA512
eb7df27f8197b273e4fd7936b5af5352218a40b88674cd93484c634a4f2188f14345c4a7cf78b6456cd0428b93eb4aa2091dd817d250e579ec4ed085ec547af8

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
e227339e82221aecc730faf147b543f1

SHA1
d00cecb680d2372db0c5ab67e445c6a50a5337d1

SHA256
5e28bf9b54257b88b880879eba31b83e04d05df579ef617131a8a291714bccf3

SHA512
15cdd80b26a1f96cb4ae176fbbca97129273f86605f3a1534dcffe812ff677548ea48d1657a7e7de9ba02e7e7c810f30ccb59b85b640b4d6950387a736886802

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
d4b95ae405e8fb42fd9ce1a7bbd6e0f7

SHA1
99cd4596deba8cc5b1e9aaf6e77d211372692247

SHA256
6014c475588c691d65c2162114011f701bd1e9beb871bf4818ed6d1ca065a791

SHA512
ebc7c022cbb56bc7cd104e3807c4cbb8feacae591adb1400cb6429960d83dad64f60bc3d3e0c0d308be06a31f50e33f240e28c892966a8b23b7fdd699f73d893

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
cd1fba9a55f0402483d17b4c6fe97679

SHA1
2dd5ffc928c8b4b1ff4f6c6682be3e7248a8de03

SHA256
c8b3f111c0cf0ed1256871c0cdd5ef0b62c408eee443da7f6767d7c6c1dd5c70

SHA512
b73f9438c607cee3fc2a963d89741062eacfbfdd9205d898bc038ae3b2e551c40c73132136b86c65666ff6251efe821f7aa854a0c9977c435da0d14f60af476a

Download Submit
/data/data/com.systemservice/files/PersistedInstallation3552811442542389847tmp

Filesize
553B

MD5
fcc76685a14cf0c783331141cd6bcc12

SHA1
8abbb2c964ea2d681ebff9deb9f241df8638c1e4

SHA256
c27146937a91e68727788d00c9357dd95abe7a18d865b5b6ecb1f8318a89a0e6

SHA512
8b5b3ee300c71f396909f9c4850aaada19e130532555cacf446de20041e899876093a46825242c9c61423eac52a806677996c5b32ba0a3e6088c8d95d1eed550

Download Submit
/data/data/com.systemservice/files/PersistedInstallation8418508810565937400tmp

Filesize
90B

MD5
9cd4c234b625d8c06cbe1b862e492934

SHA1
9ee113843b173734073f8d7ffe1484958f53e6da

SHA256
207484bafd072541f11944f89fbe4290d646557b2372a749740f36fc919c55fd

SHA512
2b0a5060977949a3eef945860a84b1654707ee8eb721ed62c14ba0746ee9f8009b22726d0d0487407aada9feb651bc40361d77ccee44ce2c17081c396de0595b

Download Submit
/data/data/com.systemservice/log/log4j.txt

Filesize
3KB

MD5
2693da427bac5100b6038cb87033a840

SHA1
62c8e65bec8ca9ca90db88463e005ee79dc7e6f8

SHA256
69e5b0e678f5499006d07e6b469638deb1337d73993363315a3ef2875df4fac7

SHA512
027c7bc1dc0c4a5147169e85bbb19511bc89270234e5f6479a7efd4b1171f0236ae3dd7df77ed1eb3e64cb8a691b0a729bd279208e641ba05fe039cb8c7dd8d8

Download Submit