Skip to content


INSOMNIA is spyware that has been used by the group Evil Eye.1

Item Value
ID S0463
Associated Names
Version 1.0
Created 02 June 2020
Last Modified 24 June 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols INSOMNIA communicates with the C2 server using HTTPS requests.1
mobile T1634 Credentials from Password Store -
mobile T1634.001 Keychain INSOMNIA can extract the device’s keychain.2
mobile T1533 Data from Local System INSOMNIA can collect application database files, including Gmail, Hangouts, device photos, and container directories of third-party apps.2
mobile T1456 Drive-By Compromise INSOMNIA has utilized malicious JavaScript and iframes to exploit WebKit running on vulnerable iOS 12 devices.1
mobile T1404 Exploitation for Privilege Escalation INSOMNIA exploits a WebKit vulnerability to achieve root access on the device.1
mobile T1430 Location Tracking INSOMNIA can track the device’s location.2
mobile T1509 Non-Standard Port INSOMNIA has communicated with the C2 using HTTPS requests over ports 43111, 43223, and 43773.1
mobile T1406 Obfuscated Files or Information INSOMNIA obfuscates various pieces of information within the application.1
mobile T1631 Process Injection -
mobile T1631.001 Ptrace System Calls INSOMNIA grants itself permissions by injecting its hash into the kernel’s trust cache.2
mobile T1636 Protected User Data -
mobile T1636.002 Call Log INSOMNIA can retrieve the call history.2
mobile T1636.003 Contact List INSOMNIA can collect the device’s contact list.2
mobile T1636.004 SMS Messages INSOMNIA can retrieve SMS messages and iMessages.2
mobile T1418 Software Discovery INSOMNIA can obtain a list of installed non-Apple applications.2
mobile T1426 System Information Discovery INSOMNIA can collect the device’s name, serial number, iOS version, total disk space, and free disk space.2
mobile T1422 System Network Configuration Discovery INSOMNIA can collect the device’s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).2