Skip to content

S0536 GPlayed

GPlayed is an Android trojan with a broad range of capabilities.1

Item Value
ID S0536
Associated Names
Type MALWARE
Version 1.0
Created 24 November 2020
Last Modified 24 November 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1626 Abuse Elevation Control Mechanism -
mobile T1626.001 Device Administrator Permissions GPlayed can request device administrator permissions.1
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols GPlayed has communicated with the C2 using HTTP requests or WebSockets as a backup.1
mobile T1533 Data from Local System GPlayed can collect the user’s browser cookies.1
mobile T1407 Download New Code at Runtime GPlayed has the capability to remotely load plugins and download and compile new .NET code.1
mobile T1642 Endpoint Denial of Service GPlayed can lock the user out of the device by showing a persistent overlay.1
mobile T1624 Event Triggered Execution -
mobile T1624.001 Broadcast Receivers GPlayed can register for the BOOT_COMPLETED broadcast intent.1
mobile T1630 Indicator Removal on Host -
mobile T1630.002 File Deletion GPlayed can wipe the device.1
mobile T1417 Input Capture -
mobile T1417.002 GUI Input Capture GPlayed can show a phishing WebView pretending to be a Google service that collects credit card information.1
mobile T1430 Location Tracking GPlayed can request the device’s location.1
mobile T1406 Obfuscated Files or Information GPlayed has base64-encoded the exfiltrated data, replacing some of the base64 characters to further obfuscate the data.1
mobile T1636 Protected User Data -
mobile T1636.003 Contact List GPlayed can access the device’s contact list.1
mobile T1636.004 SMS Messages GPlayed can read SMS messages.1
mobile T1603 Scheduled Task/Job GPlayed has used timers to enable Wi-Fi, ping the C2 server, register the device with the C2, and register wake locks on the system.1
mobile T1582 SMS Control GPlayed can send SMS messages.1
mobile T1418 Software Discovery GPlayed can collect a list of installed applications.1
mobile T1426 System Information Discovery GPlayed can collect the device’s model, country, and Android version.1
mobile T1422 System Network Configuration Discovery GPlayed can collect the device’s IMEI, phone number, and country.1

References

  1. V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.