truthspy | 92c3337b3d74f2aab8f0ca3a6f045719a3301519810d535856ff11dd743b523c

Resubmissions

10/03/2025, 15:05

250310-sf8zxayzdy 10

10/03/2025, 05:34

250310-f9njvat1gy 10

01/03/2025, 02:26

250301-cxcd9swye1 10

Analysis

max time kernel
352s
max time network
367s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
10/03/2025, 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92c3337b3d74f2aab8f0ca3a6f045719a3301519810d535856ff11dd743b523c.apk
Size

3.6MB
MD5

0366ae0abf0ada8aed90322bfe07dfd5
SHA1

2f0779ce64f02944e87674745cb446c5bc620607
SHA256

92c3337b3d74f2aab8f0ca3a6f045719a3301519810d535856ff11dd743b523c
SHA512

52f50f2f847628b1fb498784660050a6f189d8c7cc520c0d3a06ca28cc35ee4961d0a3daca71a540e263ab930ab629b884c3ff187d4abcd8f58549fdf87f9677
SSDEEP

98304:mD/SWbGiowrvH6Odp/9hBbW+te6lXhAyHtu:mWWbGjuvl9jS+oSc

Score

10^/10

truthspy banker collection credential_access defense_evasion discovery impact infostealer persistence spyware trojan

Malware Config

Extracted

Family

truthspy

http://protocol-a100.phoneparental.com/protocols

Signatures

Truthspy
Truthspy is an Android stalkerware.
trojan infostealer spyware truthspy
Truthspy family
truthspy

Checks if the Android device is rooted. 1 TTPs 3 IoCs

defense_evasion

System Information Discovery

T1426

ioc	Process
/sbin/su	stat /sbin/su
/system/bin/su	stat /system/bin/su
/system/xbin/su	stat /system/xbin/su

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.systemservice

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.systemservice

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.systemservice

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.systemservice

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.systemservice

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.systemservice

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.systemservice

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.systemservice

com.systemservice
1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4322
- /system/bin/sh
  2⤵
  PID:4416
- - stat /sbin/su
    3⤵
    - Checks if the Android device is rooted.
    PID:4464
- - stat /system/sbin/su
    3⤵
    PID:4484
- - stat /system/bin/su
    3⤵
    - Checks if the Android device is rooted.
    PID:4504
- - stat /system/xbin/su
    3⤵
    - Checks if the Android device is rooted.
    PID:4524
- - stat /odm/bin/su
    3⤵
    PID:4544
- - stat /vendor/bin/su
    3⤵
    PID:4564
- - stat /vendor/xbin/su
    3⤵
    PID:4584
- su
  2⤵
  PID:4606

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.systemservice/cache/image_manager_disk_cache/119240b5c507da9ad0fa1c8aa89526b0d3b318ee30c724b3db8c9b0913ea064e.0.tmp

Filesize
2KB

MD5
48610ddc9a91fae7814ed15a5851aefd

SHA1
39a97a7794cfe4df667f3d0030e3290a1eae6061

SHA256
78063c1282a0a4e00d02c92811f6cddef48fb229e1f92cd4b17e3487b53402b5

SHA512
55d7c784c57a04746ce834aeeeb461467e313f2c34dc6e78c004bf58422acf54393edba98770161018b42dbf74de75a54f0d24e8b6b0afc5d96a9f832e9271e0

Download Submit
/data/data/com.systemservice/cache/image_manager_disk_cache/journal

Filesize
178B

MD5
032ab390ced84616c73c9b07dc01218b

SHA1
c2766b83007ab75cd65b8484578f629e1aca6c11

SHA256
98f30b7b773f4da858bbe3a6648b210785daedebeb382edc6662f2cf757795ea

SHA512
d31e29add59f705404db923c9431d6c947d23a2e1a8700fa4b07e62561c0a87d8dee1637ee045d4252b26365f8b95c678a57a93973bf8803b8135dbf1e6aed48

Download Submit
/data/data/com.systemservice/cache/image_manager_disk_cache/journal.tmp

Filesize
31B

MD5
8c92de9ce46d41a22f3b20f77404cc1d

SHA1
8671a6dca00edb72be47363a7071be65cf270373

SHA256
68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274

SHA512
30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

Download Submit
/data/data/com.systemservice/databases/com.google.android.datatransport.events

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.systemservice/databases/com.google.android.datatransport.events-journal

Filesize
512B

MD5
53c5bbf023ba260ae7a2f361c2c860f8

SHA1
1569a20739a4e3eed15807053dfa53109d7ea367

SHA256
841340159aa5db7143548dca749ea363a9313128d883fffa34ad27791795de64

SHA512
c0ab2377b93cc82f67d82e7d786c6ee38754ed357ce67669d38d02b0c5485f099df91e7fca453608cc9f4b4fce90d38c1d73475e7bbede5fbe5f373c6bdf5c99

Download Submit
/data/data/com.systemservice/databases/com.google.android.datatransport.events-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.systemservice/databases/com.google.android.datatransport.events-wal

Filesize
68KB

MD5
900b1fde771d868b9475b52ab3675a59

SHA1
e072f52c1c630f6acda4a222bae09c5602f65611

SHA256
aa5cf70181c3d32be51714c118efd3fb48d8e6ccb3f74adc18c68a73ca483cf0

SHA512
7a18bf9046e0e276cbe279f7163b5c056ddac705dc76ed28ffbf4462b4d3edcd6ff913564f3eb98fd4a3e76ab9b4bb8564e7eba2aa11844d2f32565e90c8d7a7

Download Submit
/data/data/com.systemservice/databases/core.db

Filesize
36KB

MD5
045489a0639eee27bca52f48828cd93d

SHA1
436e7966e7c019273c44faa4d8c5709b816dfda3

SHA256
0151eae0eec786abb19ab59d7361b3291ae98411fae12cbbdfecd1612e16996e

SHA512
c8739a723a8648b0e380b946a97fb6cd83d6c4769ec3679bf4bc003ad0049ff5cccfc8f75a6ea272feced0020b13d3129f792f0f22cf442f0d0127f399eba22e

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
7237409e0640cfab7bdbd429bf821a3b

SHA1
4c3da934842f8d4835dfe2a9c275a300e5123309

SHA256
5c8e1b63d187efafe1e09bfadd83fd360176d689b57b5a0cc40e6854c12449fa

SHA512
c8afaf6a8ee43ce3601feff417bfaec563c01bcff0aae24577054034112b2020967f25b0b1a919c3c9e5e81d62a21a87e908b782c4d5cb8bba8ac259108e9c1f

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
ad801c4571906ab78e6adc10450a942b

SHA1
f19f03fe0b706719d01130fbf2c18b2975dd0060

SHA256
c1279cb028748fb093e870f69b4bd13be840b7af494c97052838334fb038e2db

SHA512
b7a1b2bb2dde0030eb2bc98bb948672567121101f3ca993892ff35fc10f7c034f7d5bf272bbfa039e71092a556db941f5f69d260b6df14c0d9bb213d2b14c77f

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
2dff3c17045ca814e7950ad2430429e6

SHA1
1a7e309e82bbd983d760bd4d92ef24989c198f5b

SHA256
07bd6fea3d8e54f8b25b5794fed2a946b8092c6f2bb9d575c56f929098c4287a

SHA512
2252c227cd2c3588f3d52b4dc1cbea59794d3d0e57b955f391a12adf010a60e142907ef95971f339e9b2b01925320b313e57b30f2de45a4e669ce3a56e4892ff

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
937d188271f84a678c640cceea6f8065

SHA1
9e0a6d5befba5c2b032b9f629fa498af3450fedd

SHA256
825745ebad7f8d2fbf95685afb1e75012b4b6de980aac91b6c44fbfd1a1d035d

SHA512
83f39d5458dd81add9d0b18650166fcf67dee77f4a5bc24f4aa8a18dbae98dfdefabf3d2e751c45ab7d98db7729b4d1273ffda973fbe3bc12b7c3d22180c40e8

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
44ffedd428c2d6b049c85c1cee273729

SHA1
a9de2dc7028d5cb18e854954d8fe1dd48288aaa9

SHA256
e0a27f906d824df6a8e347faf6c83a9379b9911d7f219c80a49a6f54cafb39f0

SHA512
99d0de22c71312c48be52b6e4fb4b2993949673394c789c3b13904a9ac91d5d66a284b73048601b9c1fd7fe7d376049f91258cb0ab24fbcd9b4f594b225d296c

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
46fe110a0a71b6b35a9f2244b0c82bbc

SHA1
ab2ae3a05b8e66ad2e957038f6617c80646fc9db

SHA256
d16d29413c0b5787e33630f6cf0462c49fb189b10a1b01032cebcf60d513b461

SHA512
53047507342b4ada7b2a5d3d3ad7f000eed972a1e5d50efeaa840e687ba1d90120b23f41cb6b1cae53c834fc4341896b0abc2ae77cb4878e36e433637de23acb

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-journal

Filesize
512B

MD5
6b24d8d4f906f528adde4e7e428854ec

SHA1
1a666632a2f896d4b5cc6a2f46108e9cd81cf02d

SHA256
523752748ea505e845c1740b74e62aaadd8049af3fe8d1eca7186111c552ac55

SHA512
515b8f96d1d63ea5810bbdc9f5b11b785e4c5f6ea993608aa5cea1b3b634e03c0a83c36371b7f59b8acf07e52cd633e837945573ab1e02edf9be46e87592444a

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
36KB

MD5
dd8f56d799e6564746008a96b597aeee

SHA1
4a876e92cc089d558c0c0a73c03359e5cde3497d

SHA256
9b34d070a8fe4b1e0ac700df7fb4f592e1740e03aa71fcb635f8ef84c82198ec

SHA512
6d53922bb446968f3587b838a6667a0097b59d15e4089bd3442fb1bb5368b02505a9452fef4e03957ac72a9c30a23183d0b09b91e9f3e5e067f447b99fe3c7c4

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
4a734cc0a795b30263d7b56e02058b83

SHA1
f9b0c447b94a00af4c9cdd520856e31be2d10a7b

SHA256
325e8664f4923738832ce47935bd813aadc0ae14039badff62e24da471b5ede8

SHA512
2f587fdfaa6112b067b61705561eeb872a5cd844bf7f8f74b2207d73fd4c435f43e0cb18e85f759c7a6c14b1d8a4a4f81aa4b0b74238438589d84643bd013421

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
c08ff61f0794667e67573d78b7cf3a4b

SHA1
bc137a46e97b615bac8d206659b3d3de9b51ede1

SHA256
de2c1e15aac02060f45c54f206a115b286b4fcdc1350d7b4d29a3d7d944b6fb4

SHA512
7c7682b37b962fa66762c9be536d092a1ed102fab1c4712cf4a55d611f6f437a27369b6b575e1acca30a309c7bf2a4f0134334d753b4012f8024fd69f0bd3998

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
a4e43a4b5d08ff515ce1c85f5152f019

SHA1
b5b373031d1fc411ddfa79c7cbeef9f2f4335a35

SHA256
9b2a639abff922a6dcff3233860933b4e12e3919d771c5aba0c44e97af8e2959

SHA512
af7b938fb76085d77f3507e1abba32fd550ffabf8a38fa7905a88237bf31eb50e1a22e28a6c8003f842edf61911a88f8306783801c993846891940e526ad4199

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
a9abb44abb70610d6817dff7e930d975

SHA1
9e10ad735bb3f389bb65200251214c1f79fcf2e3

SHA256
fb95116da7d4a1841b2e602a217a92095e3742793d7a1f9991101a6da7021982

SHA512
6d9cfe2ee24989a320b051b0e9f1c14eebf5faa4e8664d592893f55da55006906f7acd50820be32f42bd644754b335bc7e9fe6ce7e6bb4f4ad9a0cb1089922e8

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
1ed46bb910abd62ef753e4e1ca246122

SHA1
9e9573e8b1e6b6a68977ad9bd131ebf2f80ebaee

SHA256
341d2197e542f947d89d4f39163f930763d8acc9984e5e5cb7d42635ce26ecda

SHA512
5ad3133a10cf21db43ee15a1a2eb958cf8183b5a7e1e25bea9bed00317e98e7c67aa75778fb0214a785f9a093c9d34b82f5d4628561f33a5759cbc7d8be3dd03

Download Submit
/data/data/com.systemservice/files/PersistedInstallation1959243909418679175tmp

Filesize
557B

MD5
c574f9daa5d1c3533a2a39d43a459b2f

SHA1
1dbe2ce1063933b4a8b91084f84d07c2bd74fbb9

SHA256
72fc5c56155d1d690d91f2ec50e08c6636871d7c9bb4e6d3cf79edf52f413453

SHA512
c6276bc73529079243ef489ed54719d6cc90c30d30d971fcd1f616fbe1c93a317726bc71dd6b6a5699891fbf9a50fad06fc4b579adb2dc50e71b67f5d75c1272

Download Submit
/data/data/com.systemservice/files/PersistedInstallation6157993707487807952tmp

Filesize
90B

MD5
c91951efcf02ab86c95a6baea0269401

SHA1
31dfe7d8bdc7178cd9eef46cab104c6bb5ba67dd

SHA256
426f12ae6bad80140c38df95e6ff536eff7f1922535ada884cf286e1e6df3e10

SHA512
65e0434adaacda33a24eb90fb10774eae6c77b742ec2d493f30c9ef354b1dce48d95c09d5ad3100a3cb3ab050b8682409d100f2154f962673532e1a60d325b47

Download Submit
/data/data/com.systemservice/log/log4j.txt

Filesize
3KB

MD5
6111c88f364e3e526abda581047c8fb8

SHA1
fa0622e89a94e56208bb8335afd10078b67d0d96

SHA256
0c464f6d8dab63e84460c4a599e96415b51f3c1245461a9e42556ba7ff7e80cc

SHA512
ca0b2e311dd300f8599603c08c26886bd429c3e2cd8e2e817cf2c938f20f015b77e1345859606b85b7d1bc76a17bfadd9382cd2225cfa67d2999cd14c1b36e9b

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads