Resubmissions
10/03/2025, 15:05
250310-sf8zxayzdy 1010/03/2025, 05:34
250310-f9njvat1gy 1001/03/2025, 02:26
250301-cxcd9swye1 10Analysis
-
max time kernel
109s -
max time network
110s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
10/03/2025, 15:05
General
-
Target
92c3337b3d74f2aab8f0ca3a6f045719a3301519810d535856ff11dd743b523c.apk
-
Size
3.6MB
-
MD5
0366ae0abf0ada8aed90322bfe07dfd5
-
SHA1
2f0779ce64f02944e87674745cb446c5bc620607
-
SHA256
92c3337b3d74f2aab8f0ca3a6f045719a3301519810d535856ff11dd743b523c
-
SHA512
52f50f2f847628b1fb498784660050a6f189d8c7cc520c0d3a06ca28cc35ee4961d0a3daca71a540e263ab930ab629b884c3ff187d4abcd8f58549fdf87f9677
-
SSDEEP
98304:mD/SWbGiowrvH6Odp/9hBbW+te6lXhAyHtu:mWWbGjuvl9jS+oSc
Malware Config
Extracted
truthspy
http://protocol-a100.phoneparental.com/protocols
Signatures
-
Truthspy
Truthspy is an Android stalkerware.
-
Truthspy family
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes
-
com.systemservice1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
-
/system/bin/sh2⤵
-
stat /sbin/su3⤵
- Checks if the Android device is rooted.
-
-
stat /system/sbin/su3⤵
-
-
stat /system/bin/su3⤵
- Checks if the Android device is rooted.
-
-
stat /system/xbin/su3⤵
- Checks if the Android device is rooted.
-
-
stat /odm/bin/su3⤵
-
-
stat /vendor/bin/su3⤵
-
-
stat /vendor/xbin/su3⤵
-
-
-
su2⤵
-
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Mobile v15
Credential Access
Access Notifications
1Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
1System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD548610ddc9a91fae7814ed15a5851aefd
SHA139a97a7794cfe4df667f3d0030e3290a1eae6061
SHA25678063c1282a0a4e00d02c92811f6cddef48fb229e1f92cd4b17e3487b53402b5
SHA51255d7c784c57a04746ce834aeeeb461467e313f2c34dc6e78c004bf58422acf54393edba98770161018b42dbf74de75a54f0d24e8b6b0afc5d96a9f832e9271e0
-
Filesize
178B
MD5032ab390ced84616c73c9b07dc01218b
SHA1c2766b83007ab75cd65b8484578f629e1aca6c11
SHA25698f30b7b773f4da858bbe3a6648b210785daedebeb382edc6662f2cf757795ea
SHA512d31e29add59f705404db923c9431d6c947d23a2e1a8700fa4b07e62561c0a87d8dee1637ee045d4252b26365f8b95c678a57a93973bf8803b8135dbf1e6aed48
-
Filesize
31B
MD58c92de9ce46d41a22f3b20f77404cc1d
SHA18671a6dca00edb72be47363a7071be65cf270373
SHA25668bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA51230f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56
-
Filesize
4KB
MD5fca4d2d6a1a02a32e770be9c95f428f7
SHA1b40eeca94bce3a5d4abbeec789b440ce223ffb7f
SHA25648fe6acd4ad321e68aaf03103463183ae1990e62e8ed408d1ee92d434bde7fae
SHA512a38a36785db7312210e558a8f800d63d66d2bc9870768c5b18f0008ab2654deaf2349abd3b5aebf356d7e18bdf0753566a1c334a8406f57b1c699341a2c27a95
-
Filesize
512B
MD558f16c2e32519ff8648bf3da85dd952a
SHA17e330e0544697f8e02aa3231c6f3463b7584762e
SHA256a7c7c6ea8db1d903cb570f6ef88ffd5310bd3e7d80dfe2458a2c55d1e2c1088a
SHA512e8ac662088d0cc063a6318e9c30dd03b388c815ce4872f27dc6a2695f4a252923beffe6d4ab4283a5a19d696562805e6bd153f5fa4693f7f99dbadf2f5e0b389
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
68KB
MD5cbb62ca69a9262e99418fa7e1974d71a
SHA10b5c36a0518713529a5fca7521ea3e97e596944f
SHA256d935c93401f4189cf89c7f6934a5f103ad9efa10c39a0d80fcac6d5bcb63139b
SHA51283b1da892c13c8614704d70b619a05359d6ba3a55d04a5dbb6f79a7721d3b0ea393ad9c57887db5a3dfa54b3f99f3245706cda564673faebe9599886c8f5b16c
-
Filesize
36KB
MD5045489a0639eee27bca52f48828cd93d
SHA1436e7966e7c019273c44faa4d8c5709b816dfda3
SHA2560151eae0eec786abb19ab59d7361b3291ae98411fae12cbbdfecd1612e16996e
SHA512c8739a723a8648b0e380b946a97fb6cd83d6c4769ec3679bf4bc003ad0049ff5cccfc8f75a6ea272feced0020b13d3129f792f0f22cf442f0d0127f399eba22e
-
Filesize
16KB
MD57237409e0640cfab7bdbd429bf821a3b
SHA14c3da934842f8d4835dfe2a9c275a300e5123309
SHA2565c8e1b63d187efafe1e09bfadd83fd360176d689b57b5a0cc40e6854c12449fa
SHA512c8afaf6a8ee43ce3601feff417bfaec563c01bcff0aae24577054034112b2020967f25b0b1a919c3c9e5e81d62a21a87e908b782c4d5cb8bba8ac259108e9c1f
-
Filesize
16KB
MD5ce578e6a0cf245642413d4496cb51a0a
SHA1bc9259864607dc21f39e0cc1b26cc6d13073d426
SHA256e0aad0709d35ce63896ca911ae2f833198f78f07b324e9f2b709d41c47278f5b
SHA512f275fa087e27af06ef4e78dc72ee6759fa02718ae52a36440c06d49db7ba753f074846bc0834f3eee333277878c334592679dd3fd0134c3d683e666d4e23e781
-
Filesize
16KB
MD52977dab3897d63738887d168d117f77b
SHA1365dbe5e019a5a7c793fbaa16b4944be7cf1e367
SHA2569990b32d28c73b03ba98d712b1061cc73b7ef2c754fc35097965437b6629e87a
SHA51250aecbf10a2a58a1ce4ab04d4d34d85e16531642b839407681874ab2bcb52b5160e3a00c5f6108f22d341fee40656e9defa8ffeb051fca7a4d1048945384d6ec
-
Filesize
16KB
MD52776d8a05860813f0904a82f260981d6
SHA1db86abd4d479d221ee9c85321c987cd56677baf4
SHA25663e7d2206e614f7217d4b7f431d5c296e669830a9769fdde392a6508eeffb75b
SHA51207ec2f5954e6252d7b8c8720c115e431dee7b4dfac658171ed3f0804443aeaa9b0697019668d78e34813fc4484c49ca656ad2fc2f94d44dd62b7a8b250a0c488
-
Filesize
16KB
MD5e084b5db5a1f5d58fb6f961998f6ccb1
SHA1900f7193dbe29113db9ed12e9a5c41322c32eec4
SHA25696d712ad6ac79e1e6f582bf6e49cdb27fafd383117748bff690d18db476adac5
SHA512d78cd960b1e85b6140eb174a7e845a283ee98d24b0182dcdb839e67a287db41b92b515b5d252480b759c83b19d38767e97cb1a9a3095ef1a7059c15efa8d1dd4
-
Filesize
16KB
MD546fe110a0a71b6b35a9f2244b0c82bbc
SHA1ab2ae3a05b8e66ad2e957038f6617c80646fc9db
SHA256d16d29413c0b5787e33630f6cf0462c49fb189b10a1b01032cebcf60d513b461
SHA51253047507342b4ada7b2a5d3d3ad7f000eed972a1e5d50efeaa840e687ba1d90120b23f41cb6b1cae53c834fc4341896b0abc2ae77cb4878e36e433637de23acb
-
Filesize
512B
MD523ceec8b5e5c925e58553c76d59690e7
SHA187f45187d3b74bcef92ab535614f9dc98750af20
SHA256d5529dce8ca6fd5ffbae8f3b1eeb48978db43e24680b66c0c766778a3dc1ebc1
SHA512bd757965f111045427aeaa607167496d5fec6daf63b7ca663a61cbabbc7564bafd2ec14f00767fc46396720d6fd17af2ac8e2d869951378696c7373ee2189eba
-
Filesize
36KB
MD532fb692b6fe1925bfeb1d174cdd0e094
SHA162bf32fff8b7db8ca4a406270e3e71e766b89d51
SHA256e6ab25edc5301b41125244cc8e2ab7ae70b8a11f646f22c49e522d1d802240c4
SHA5122658cb13199d7243d10a8dac0262be0d9192baf0a7d834406c4572686a65122d2b74ce4ccf3cbc92b729317fc133d963700af26f268e0a88ded39898a327d96a
-
Filesize
4KB
MD55f881d7b7d12e1d99e3edcd148c264b8
SHA129d117f94de1f0071de4ab06b0e0e3a3aa65a504
SHA256843589e0445b7a3e346882c5500eddede7814bac9d9251cc158ed0f55236b24f
SHA51248043f92eec6ec79efb59edf9029e4107ebd1188dd95d7207b6f78cf67d16bd4686302e1090fa7250b85ca3510dd45eb7f527ae82b8d91fb19c136e5cb8317ed
-
Filesize
4KB
MD5d81d99ac52e4e0446023525b1baaf807
SHA167e4542c6da1f12d1df1a5f1f82ff7b70b7d5fd2
SHA2564d8c083b4868d99659bf95194366fc6b542100e4906ebef1cfb1fa3c647feaab
SHA51224a99ef2e6782c4664ed261061990320c89f37dc8ca44d6a7a7947fc7d571ea853c662a763cc8c580b631c7e3917e5b4b7e426f559419757d29f1a95df8e79ae
-
Filesize
4KB
MD52d21b6ac30edfa3cdde8412184390936
SHA114c2ac1d301cd72df1d21149bb0e8d2e9852e88a
SHA256c5115c5c6eddab79588dd7427160a7b3abaf528b74d04b8cba0b2cdb8fea9546
SHA512373f61bcef1b94ff0adfa29489c23971e5025e1c8ee25fb28165edd7c3373c2234b788be78b4af9748b80df4d26774b5f7b541d15e8a52d8cb7c68217134aeac
-
Filesize
4KB
MD5be36d6dabc2495e5c3e2654ee623e216
SHA166328089c5e6405ee9bea914b72c5084053d92af
SHA256ae81cdc9eba5d60bdff3e84ca817d981b50174736255cafa4aec527fda8ef978
SHA512a63dcf40b38ee1a87c0edf2f55d91fadde66687907437e793c57988e4a37fa331454835d9d937eff30195dfaf0154711b0066ce8cfd0a199f444aa4f81a42442
-
Filesize
4KB
MD5fe826f0beae9d996a71c5611d9b0828e
SHA1b6ca2c0d6810e1506a528531d19e643b72ed1874
SHA256d9db01f977e3a2ec18f7ee80a63712506bf584bf1e6d453477502acf2b9eb0f5
SHA51240db29059127197bf1a877458bfd42deb51fd95888cdf4a1300dbce94c991a95c4f81c90ae69708f2eb0090931f1d2eae9a9883812ee5a41ba0cd93ccb98e17d
-
Filesize
90B
MD5a1f3ad6ad4a18274fe779367d2189221
SHA1ff144ec773f8abe00dc37467f4222cd3d0152730
SHA256cbec76d00469e5ce10ec604eb0110072627187b4825cfdfd4f0d47df69227893
SHA5120fdbc44980c0722dee05a5e25c651b4016dfd889cb9dd965668c9a2a47339cc96996cf893eec79db7c58b165bd1cd9fca82f41b92398968d4c70cf2fe9bcb11b
-
Filesize
555B
MD51332a32eddfeea0de1311e5882d8fc06
SHA10a5137af4a9f64e2061cce01168076d0e21d52ca
SHA25698d50d7a11d042088fb5f4ba4f728b844bf24835f5e57e704cacfdde181e8ba9
SHA512d286e17b6a0d21739c793300ae7f705300cf64b445d77ea69e136856a9adc164714eefd6d926817664b677f371b5d82ee24d2baeb03e50d2cd6e3c6bf0f7ddd6
-
Filesize
6KB
MD524881fbb20f3de21d3e4b4fc8efdcadf
SHA1d2fcece1e84654b28d09fb0e0ac78578c9028d82
SHA256a9caa82b0d4ffa8d0c2c768aa778553dc3d7b3e9be184e18af96d5ee2d10ebc6
SHA51229f56935ed144dcb6cf39209fba65ba2bcea629ebe7bc25f8cdce88b5b0dd59bf45e32b089760919f91605276dbc0bb22841dfdb28078d820722ee648e8e80fe