Skip to content

S0507 eSurv

eSurv is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.1

Item Value
ID S0507
Associated Names
Version 1.0
Created 14 September 2020
Last Modified 14 September 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1429 Audio Capture eSurv can record audio.1
mobile T1533 Data from Local System eSurv can exfiltrate device pictures.1
mobile T1407 Download New Code at Runtime eSurv’s Android version is distributed in three stages: the dropper, the second stage payload, and the third stage payload which is Exodus.1
mobile T1521 Encrypted Channel -
mobile T1521.002 Asymmetric Cryptography eSurv’s Android version has used public key encryption and certificate pinning for C2 communication.1
mobile T1627 Execution Guardrails -
mobile T1627.001 Geofencing eSurv imposes geo-restrictions when delivering the second stage.1
mobile T1646 Exfiltration Over C2 Channel eSurv has exfiltrated data using HTTP PUT requests.1
mobile T1430 Location Tracking eSurv can track the device’s location.1
mobile T1636 Protected User Data -
mobile T1636.003 Contact List eSurv can exfiltrate the device’s contact list.1
mobile T1426 System Information Discovery eSurv’s iOS version can collect device information.1