Home > List all groups > List all tools > List all groups using tool dmsSpy

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: dmsSpy

TypeReconnaissance, Backdoor, Info stealer, Exfiltration
Description(Trend Micro) Another APK link was disguised as a calendar application for checking the schedule of upcoming political events in Hong Kong. Though the link was also down, we managed to find the original file downloaded from it.

The calendar application shown above requires manysensitive permissions such as READ_CONTACTS, RECEIVE_SMS, READ_SMS, CALL_PHONE, ACCESS_LOCATION, and WRITE/READ EXTERNAL_STORAGE. When launched, it first collects device information such as device ID, brand, model, OS version, physicallocation, and SDcard file list. It then sends the collected information back to the C&C server.

It also steals contact and SMS information stored in the device. Furthermore, it registers a receiver that monitors new incoming SMS messages and syncs messages with the C&C server in real-time.

The appcan perform an update by querying the C&C server to fetch the URL of the latest APK file, then download and install it.

Last change to this tool card: 23 April 2021

Download this tool card in JSON format

Previous: DMSniff
Next: dneSpy

All groups using tool dmsSpy


APT groups

 Operation Poisoned News, TwoSail JunkChina2020 

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key