Home > List all groups > List all tools > List all groups using tool SpyWaller

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: SpyWaller

TypeReconnaissance, Backdoor, Info stealer, Exfiltration
Description(Lookout) The latest SpyWaller variants are capable of accessing the sensitive data of over 20 different apps, in addition to being able to record calls, capture surrounding audio, track a device's location, take pictures with the camera, and retrieve a list of installed packages.

Initial infection is followed by requests to command and control infrastructure for the latest native code component that contains the bulk of SpyWaller's surveillanceware functionality. While we found the native code that is bundled up in the app is somewhat obfuscated, the latest binary served up by attacker infrastructure was not, and contains new code to target Facebook and Google Hangouts. These improvements in capability suggest that the actor behind SpyWaller may be deploying it in campaigns outside of China, where we believe the majority of previous activity to have been conducted.

Last change to this tool card: 01 July 2020

Download this tool card in JSON format

All groups using tool SpyWaller


APT groups

 Ke3chang, Vixen Panda, APT 15, GREF, Playful DragonChina2010-May 2020 

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key