FlexiSpy
FlexiSPY is a commercial mobile spyware/stalkerware product associated with Thai firm Vervata. The provided content describes it as a consumer surveillance tool that overlaps technically and commercially with government-grade lawful intercept spyware, and notes Vervata launched a reseller program in 2012 encouraging surveillance companies and governments to buy and rebrand its code. Appin Security Group was also reported to have purchased mobile spyware services from Vervata in 2010.
High-confidence capabilities mentioned in the content include interception of SMS and MMS messages, monitoring messages for keywords, collection of device contacts, monitoring of device photos, access to browser history and bookmarks, and video recording. The content also states that FlexiSPY used AccessibilityService as a non-root fallback for IM capture/keystroke capture, and that leaked source code from a 2017 breach of Vervata showed a root-based database monitoring approach with an AccessibilityService-based fallback.
The content further notes reported similarities between FlexiSPY and FinFisher Android spyware based on a leaked 2012 Hacking Team email, although Forbes said it could not independently verify claims that the two were nearly identical. FlexiSPY is characterized in the source material as stalkerware used for covert surveillance, including in abusive partner-monitoring contexts.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In one 2012 leaked email from the Wikileaks archive of hacked data from Italy-based government malware maker Hacking Team, the company claimed the Android spy tool of FinFisher, one of its fiercest rivals, looked similar to FlexiSpy, a cheap product manufactured by Thai firm Vervata.
For example, in 2010 they purchased mobile spyware services through Vervata, the business behind the FlexiSPY mobile stalkerware.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique“the app opens and asks them to enable an accessibility service. One toggle in Android Settings. They flip it.”
Credential Access
1 techniqueCollection
2 techniquesAbstractEmu can collect files from or inspect the device’s filesystem. AhRat can find and exfiltrate files with certain extensions, such as .jpg, .mp4, .html, .docx, and .pdf. BOULDSPY can access browser history and bookmarks, and can list all files and folders on the device.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Commercial stalkerware/spyware suite described as using AccessibilityService for non-root IM/keystroke capture; historically also used root-based database monitoring (FileObserver on app SQLite DBs) per leaked source code.
Commercial mobile spyware/stalkerware service purchased and used by Appin operators for mobile device monitoring.
Android spyware capable of recording video.
Spyware that monitors photos and accesses browser history and bookmarks.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.