S0425 Corona Updates
Corona Updates is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.
| Item |
Value |
| ID |
S0425 |
| Associated Names |
Wabi Music, Concipit1248 |
| Type |
MALWARE |
| Version |
1.1 |
| Created |
24 April 2020 |
| Last Modified |
11 September 2020 |
| Navigation Layer |
View In ATT&CK® Navigator |
Associated Software Descriptions
| Name |
Description |
| Wabi Music |
|
| Concipit1248 |
|
Techniques Used
| Domain |
ID |
Name |
Use |
| mobile |
T1433 |
Access Call Log |
Corona Updates can collect the device’s call log. |
| mobile |
T1432 |
Access Contact List |
Corona Updates can collect device contacts. |
| mobile |
T1517 |
Access Notifications |
Corona Updates can collect messages from GSM, WhatsApp, Telegram, Facebook, and Threema by reading the application’s notification content. |
| mobile |
T1429 |
Capture Audio |
Corona Updates can record MP4 files and monitor calls. |
| mobile |
T1512 |
Capture Camera |
Corona Updates can take pictures using the camera and can record MP4 files. |
| mobile |
T1412 |
Capture SMS Messages |
Corona Updates can collect SMS messages. |
| mobile |
T1533 |
Data from Local System |
Corona Updates can collect voice notes, device accounts, and gallery images. |
| mobile |
T1475 |
Deliver Malicious App via Authorized App Store |
Corona Updates has been distributed through the Play Store. |
| mobile |
T1430 |
Location Tracking |
Corona Updates can track the device’s location. |
| mobile |
T1582 |
SMS Control |
Corona Updates can send SMS messages. |
| mobile |
T1437 |
Standard Application Layer Protocol |
Corona Updates communicates with the C2 server using HTTP requests and has exfiltrated data using FTP. |
| mobile |
T1426 |
System Information Discovery |
Corona Updates can collect various pieces of device information, including OS version, phone model, and manufacturer. |
| mobile |
T1422 |
System Network Configuration Discovery |
Corona Updates can collect device network configuration information, such as Wi-Fi SSID and IMSI. |
References