Skip to content

S0418 ViceLeaker

ViceLeaker is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.12

Item Value
ID S0418
Associated Names Triout
Version 1.0
Created 21 November 2019
Last Modified 26 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Triout 1

Techniques Used

Domain ID Name Use
mobile T1433 Access Call Log ViceLeaker can collect the device’s call log.1
mobile T1418 Application Discovery ViceLeaker can obtain a list of installed applications.1
mobile T1429 Capture Audio ViceLeaker can record audio from the device’s microphone and can record phone calls together with the caller ID.12
mobile T1512 Capture Camera ViceLeaker can take photos from both the front and back cameras.1
mobile T1412 Capture SMS Messages ViceLeaker can collect SMS messages.1
mobile T1533 Data from Local System ViceLeaker can copy arbitrary files from the device to the C2 server, can exfiltrate browsing history, can exfiltrate the SD card structure, and can exfiltrate pictures as the user takes them.12
mobile T1447 Delete Device Data ViceLeaker can delete arbitrary files from the device.1
mobile T1476 Deliver Malicious App via Other Means ViceLeaker was primarily distributed via Telegram and WhatsApp messages.1
mobile T1430 Location Tracking ViceLeaker can collect location information, including GPS coordinates.12
mobile T1444 Masquerade as Legitimate Application ViceLeaker was embedded into legitimate applications using Smali injection.1
mobile T1544 Remote File Copy ViceLeaker can download attacker-specified files.1
mobile T1437 Standard Application Layer Protocol ViceLeaker uses HTTP for C2 communication and data exfiltration.12
mobile T1508 Suppress Application Icon ViceLeaker includes code to hide its icon, but the function does not appear to be called in an analyzed version of the software.2
mobile T1426 System Information Discovery ViceLeaker collects device information, including the device model and OS version.1


Back to top