Skip to content

S0507 eSurv

eSurv is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.1

Item Value
ID S0507
Associated Names
Version 1.0
Created 14 September 2020
Last Modified 14 September 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1432 Access Contact List eSurv can exfiltrate the device’s contact list.1
mobile T1429 Capture Audio eSurv can record audio.1
mobile T1533 Data from Local System eSurv can exfiltrate device pictures.1
mobile T1475 Deliver Malicious App via Authorized App Store eSurv’s Android version was available in the Google Play Store.1
mobile T1476 Deliver Malicious App via Other Means eSurv has been distributed via phishing websites with geo-restrictions that allow access to only Italian and Turkmenistani mobile carriers. eSurv can install applications via malicious iOS provisioning profiles containing the developer’s certificate.1
mobile T1407 Download New Code at Runtime eSurv’s Android version is distributed in three stages: the dropper, the second stage payload, and the third stage payload which is Exodus.1
mobile T1581 Geofencing eSurv imposes geo-restrictions when delivering the second stage.1
mobile T1430 Location Tracking eSurv can track the device’s location.1
mobile T1437 Standard Application Layer Protocol eSurv has exfiltrated data using HTTP PUT requests.1
mobile T1521 Standard Cryptographic Protocol eSurv’s Android version has used public key encryption and certificate pinning for C2 communication.1
mobile T1426 System Information Discovery eSurv’s iOS version can collect device information.1


Back to top