S0425 Corona Updates
Corona Updates is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.
| Item |
Value |
| ID |
S0425 |
| Associated Names |
Wabi Music, Concipit1248 |
| Type |
MALWARE |
| Version |
1.1 |
| Created |
24 April 2020 |
| Last Modified |
11 September 2020 |
| Navigation Layer |
View In ATT&CK® Navigator |
Associated Software Descriptions
| Name |
Description |
| Wabi Music |
|
| Concipit1248 |
|
Techniques Used
| Domain |
ID |
Name |
Use |
| mobile |
T1517 |
Access Notifications |
Corona Updates can collect messages from GSM, WhatsApp, Telegram, Facebook, and Threema by reading the application’s notification content. |
| mobile |
T1437 |
Application Layer Protocol |
- |
| mobile |
T1437.001 |
Web Protocols |
Corona Updates communicates with the C2 server using HTTP requests. |
| mobile |
T1429 |
Audio Capture |
Corona Updates can record MP4 files and monitor calls. |
| mobile |
T1533 |
Data from Local System |
Corona Updates can collect voice notes, device accounts, and gallery images. |
| mobile |
T1639 |
Exfiltration Over Alternative Protocol |
- |
| mobile |
T1639.001 |
Exfiltration Over Unencrypted Non-C2 Protocol |
Corona Updates has exfiltrated data using FTP. |
| mobile |
T1430 |
Location Tracking |
Corona Updates can track the device’s location. |
| mobile |
T1636 |
Protected User Data |
- |
| mobile |
T1636.002 |
Call Log |
Corona Updates can collect the device’s call log. |
| mobile |
T1636.003 |
Contact List |
Corona Updates can collect device contacts. |
| mobile |
T1636.004 |
SMS Messages |
Corona Updates can collect SMS messages. |
| mobile |
T1582 |
SMS Control |
Corona Updates can send SMS messages. |
| mobile |
T1426 |
System Information Discovery |
Corona Updates can collect various pieces of device information, including OS version, phone model, and manufacturer. |
| mobile |
T1422 |
System Network Configuration Discovery |
Corona Updates can collect device network configuration information, such as Wi-Fi SSID and IMSI. |
| mobile |
T1512 |
Video Capture |
Corona Updates can take pictures using the camera and can record MP4 files. |
References