truthspy | 92c3337b3d74f2aab8f0ca3a6f045719a3301519810d535856ff11dd743b523c

Analysis

max time kernel
17s
max time network
131s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
10-11-2024 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92c3337b3d74f2aab8f0ca3a6f045719a3301519810d535856ff11dd743b523c.apk
Size

3.6MB
MD5

0366ae0abf0ada8aed90322bfe07dfd5
SHA1

2f0779ce64f02944e87674745cb446c5bc620607
SHA256

92c3337b3d74f2aab8f0ca3a6f045719a3301519810d535856ff11dd743b523c
SHA512

52f50f2f847628b1fb498784660050a6f189d8c7cc520c0d3a06ca28cc35ee4961d0a3daca71a540e263ab930ab629b884c3ff187d4abcd8f58549fdf87f9677
SSDEEP

98304:mD/SWbGiowrvH6Odp/9hBbW+te6lXhAyHtu:mWWbGjuvl9jS+oSc

Score

10^/10

truthspy banker collection credential_access discovery evasion impact infostealer persistence spyware trojan

Malware Config

Extracted

Family

truthspy

http://protocol-a100.phoneparental.com/protocols

Signatures

Truthspy
Truthspy is an Android stalkerware.
trojan infostealer spyware truthspy
Truthspy family
truthspy

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.systemservice

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.systemservice

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
collection credential_access impact

Clipboard Data
T1414

Transmitted Data Manipulation
T1641.001

Processes:

com.systemservice

description ioc process

Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.systemservice
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Acquires the wake lock 1 IoCs

Processes:

com.systemservice

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.systemservice
Queries information about active data network 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.systemservice

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.systemservice
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.systemservice

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.systemservice
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.systemservice

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.systemservice

description	ioc	process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.systemservice

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.systemservice

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.systemservice

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.systemservice

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.systemservice

com.systemservice
1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4317

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Input Injection

T1516

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.systemservice/databases/com.google.android.datatransport.events

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.systemservice/databases/com.google.android.datatransport.events-journal

Filesize
512B

MD5
56c95a37838aab56ec7511c0de9f7c99

SHA1
60c72459774b566d1195616094da70b7cc6761b7

SHA256
17c1c15afb8826806f700e8507e3b6e5c292a50f93b8b6b8dff4747f68ffb579

SHA512
9075bc2bbf86d1bef37179f4ae102ee7a7b7bfc2989265e3a98450ec461f6ac82732e3caf9d4ceecde990b89c4f4c296b857610a24ea489d566393f8ac860e9c

Download Submit
/data/data/com.systemservice/databases/com.google.android.datatransport.events-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.systemservice/databases/com.google.android.datatransport.events-wal

Filesize
68KB

MD5
80ab04f9734a8e7a3dd961d8e3ce3555

SHA1
920fafd80cee94c4e519492e3a1aa69320f65f65

SHA256
318b1701b1d8d665b2e8b6e7c2dfa9bfd5c2aa666081cd58a4331588abd78878

SHA512
91b0857cb4dd9a6658155ab1e15b3613a56911207cc2524ee80a797f9d7b9166b6c8dc2b42fa79d1dd5474978b8cfc3cd74272332baa8e68d01d60bb034c76d8

Download Submit
/data/data/com.systemservice/databases/core.db

Filesize
36KB

MD5
045489a0639eee27bca52f48828cd93d

SHA1
436e7966e7c019273c44faa4d8c5709b816dfda3

SHA256
0151eae0eec786abb19ab59d7361b3291ae98411fae12cbbdfecd1612e16996e

SHA512
c8739a723a8648b0e380b946a97fb6cd83d6c4769ec3679bf4bc003ad0049ff5cccfc8f75a6ea272feced0020b13d3129f792f0f22cf442f0d0127f399eba22e

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
7237409e0640cfab7bdbd429bf821a3b

SHA1
4c3da934842f8d4835dfe2a9c275a300e5123309

SHA256
5c8e1b63d187efafe1e09bfadd83fd360176d689b57b5a0cc40e6854c12449fa

SHA512
c8afaf6a8ee43ce3601feff417bfaec563c01bcff0aae24577054034112b2020967f25b0b1a919c3c9e5e81d62a21a87e908b782c4d5cb8bba8ac259108e9c1f

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
e4e10a7aeac858a0bea9344daf25e70d

SHA1
369686d80d0117e39ef464898eee3e4d10e65af4

SHA256
9ed679b9b90a32bcbf6fd3572af309491cbe84be21e578420ca1f6910a7780c6

SHA512
8bfdfdeb464ed1ec7c24ff63f61324082d37c05672aea3d6528f2ee4feb92c27117d43245611a836225827abe93ab235ad140af23ed458c601c295c4a97e21fa

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
712c72d9d21cd1b947f9058be9cfd449

SHA1
676d16f3488f3b93c014019eb03db16a6000afb6

SHA256
52807fa21a49372be70b8ee3bf40f4c3c08e4462056be86f5f8217eea2aa825a

SHA512
14a9768420ad54f2d2878d5eebd27f68a219a5eb8e0dfd878cf7bbe428e8a55f2ebc16bfe750f2f5ad94ea23a8e96848519a8524d7b78f702499385d3e917109

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
381fb081c42b6dd642e1602f69869999

SHA1
9e7b84f90310063c6d4cee7a5104a90490d02734

SHA256
8e965320af4f223fa1aced6ff18a96e70278c76bfb5c161cdf2989d09c04828f

SHA512
40af23ae9ebe2261ff38ce6c673ea74825ccb1acfcb7d50a9ac34d88a200a1d1703f37d66c739d9276a2b5b0976f9fcf328100b36856eee72b2d8e5a16ee3f87

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
27e365e462596f66e6858ce9a3507e11

SHA1
ccb676ff84fda233e8e85e97f3f3d45eb5469d86

SHA256
57ff8bf875942671794ace1764c51cd05d37a91b64d64c37feb57edb83ee6799

SHA512
7d29b7051f42cc7940194c0ebdf4e4a721286e800c4330d7865e3650001482c1f856177525fb9fd107a801a470a1801fa361014bec69e70f07f92148d200018d

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
835cfc7decf507cdc5e54f602e3f9699

SHA1
4a55d424cb32e766554672cb2d0b3804fc47552f

SHA256
29257dbf2b37d226ace65bd68d001398801235d93ed830a35435bd4bab4de852

SHA512
2ab470c2200d97b545693a4cdc661100e46b0299f3d3890773681bc5f22f29eeda6b6a83a5c627fa22119726f3ce78d40021362a3f018a4f3afb4a08476c253d

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-journal

Filesize
512B

MD5
9f485698c663fda7adf6646fefeea840

SHA1
83c504534a58d9cf14ed63a1d1f010ff9ecd99c8

SHA256
4b493117cb3fb63e3f7fcba9a34a38199dd8f53c91a36748b7c54688a80e1ca7

SHA512
e26e600feb08061ac589d1348b4f93ce3ebd4424b01eebd968d499efe679c6bc4a48f205efa6311e392c8a8344a81369ddf573b2e52065e4419c7576ab8d2eef

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
36KB

MD5
7a29c3e09c560ef9f160d3e3f2ce17e9

SHA1
0c8cd7d899f2555cc4da371a4afa5b45e9bdb35e

SHA256
32b88e02d8205021b5b6d5d8f22ef4c66be210bf1f7d8351f3bd07d0099b6a4d

SHA512
aabc2aa960e29a11c071f4cdbed61ce91acd0d28edee360d26ac8994174f44cbcfb20d0fb070998faa3fe0c493f9a9c5e898915a72b76b0ac18e59059c5a3853

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
1a58122bcd21a3064b82437f04b0482a

SHA1
1598c0b48fb3add779c6c0f6ec4390396aa2e297

SHA256
d6c46eacba0f1153b9ed1a7da8b4c2f5a4dc77294efd8da30f93dc9fb3b0b644

SHA512
fe74aab7c8da01cbcb517b7e172c9353205534f0a7eeb8bfd7a158539b83c8bff66b54ff49e143fcbe4bc5a6c3e44603c125bd3b39ed2b1cc718b6781f3b2e56

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
7381b9aef8e3c8792796b529999888c5

SHA1
c137f15820e40eef68f4a442e093e63570efc73a

SHA256
5e5497e99d2bccbb33b608cbef9a21a55df350bcfb37a66236528225e450ceb3

SHA512
4b651cdda6bfc473ec511481eb0fba24d6f26e87a7572ec4284438ad409b3e60221a665a820728d2f1b4497e3b2d9e7cd30c148c76a5a1889bd0b47ea0f4cceb

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
0c388f9df5681af9e55860d64c043bc4

SHA1
4a1be3f566b75c42e765ac9fe064dac0223e0e0e

SHA256
295a4d1d2abe134c047a05d5fdbd5da8272939e378e864f571635b98f4ffcee5

SHA512
7c33a6f18315b47daa4a0c5686f4753de421f7a1093c1906f6a2b9f299cb0d18eeacda6eca8c27a9f13b9acc6ea6dde9a9c42d7263588eae1615e262a51acbeb

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
91bf1aef14b6f5985105ed81f953c13c

SHA1
9070bbc8e87b0d2c97d724b67c3a962fc889e695

SHA256
d7347ae39883e841a32bcdcd83b97ff2b23f6e9bf23924cee6ef1ef37bc91233

SHA512
654f51096f061414a6b443d97da760bcff48bebe6769fecf5329f240a54c40a23db2efa07c5e108c80fa3871c30de6d65fb6723f7e019df45306dd6ff836bb1f

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
99b2277870f59ce82ce08ccbd4d2aa25

SHA1
78e13870224f5db3f01854be626a694956cf5871

SHA256
a61b5370afdfccc3549c0a6f6b167aa4ea8d37f3a276b7a8f8c6355ff2866af9

SHA512
7044de21738d9991c462f34baee73be1366efc2132e3fe1bda16d11c3cad228558b4ba6dbd8dc8a7bf633b571aad62b7428cd49c4797cc9b7da3221708bdbd0a

Download Submit
/data/data/com.systemservice/files/PersistedInstallation4414438220445250278tmp

Filesize
554B

MD5
54554caaffb72a7f75b2a4280ba8e529

SHA1
434df64e9305b8cde28e8191b130f50dd989bdd2

SHA256
25b0df24286c20786ec9cffea7e8c52e7b5ec70f5fddab3d91c28dff4208a76a

SHA512
37898b0be1cef1793e46b2a13ac5196f83f5180a7f93999a7942829b0373165a9e646803f4dff34b4bcf524779b1d9c75e06bc496ff65cf39b9fc1fcb17fbadd

Download Submit
/data/data/com.systemservice/files/PersistedInstallation6561195335480623728tmp

Filesize
90B

MD5
f492fd1cce3214dcaac9ecf4ca858d26

SHA1
862c8ca37a611d50df25604f2344c61c06a5d221

SHA256
b7968ec235e26767f4901b3fec7d51c241d6505bbd0a016161a5cc42b27c0fed

SHA512
425025fb070870bd615ac1ed56ad623c868ad8917feaa8faf4594c5a83e528596f1f05eb642558fdf4a32c945bd5711705cc1826d07f03be776f520797b536fe

Download Submit
/data/data/com.systemservice/log/log4j.txt

Filesize
3KB

MD5
561b7b100d8a32c589f3f7c57bfc57ca

SHA1
12b622b1cdf76daa9406d3b7c160eae753eea307

SHA256
554960ec12a982182e9b690f5199abf1569c40299d93922f1dab84157814d27c

SHA512
45a0e210880d3c2aa74b2ebc58baa5450caa7fe2ae6050f21c4b5d456b406613a6f31a9dc65a205c88d7e9e23683d3dabc5716355305e7c6ce0ba2581a9e0d3d

Download Submit