|Abuse Elevation Control Mechanism
|Device Administrator Permissions
|GPlayed can request device administrator permissions.
|Application Layer Protocol
|GPlayed has communicated with the C2 using HTTP requests or WebSockets as a backup.
|Data from Local System
|GPlayed can collect the user’s browser cookies.
|Download New Code at Runtime
|GPlayed has the capability to remotely load plugins and download and compile new .NET code.
|Endpoint Denial of Service
|GPlayed can lock the user out of the device by showing a persistent overlay.
|Event Triggered Execution
|GPlayed can register for the
BOOT_COMPLETED broadcast intent.
|Indicator Removal on Host
|GPlayed can wipe the device.
|GUI Input Capture
|GPlayed can show a phishing WebView pretending to be a Google service that collects credit card information.
|GPlayed can request the device’s location.
|Obfuscated Files or Information
|GPlayed has base64-encoded the exfiltrated data, replacing some of the base64 characters to further obfuscate the data.
|Protected User Data
|GPlayed can access the device’s contact list.
|GPlayed can read SMS messages.
|GPlayed has used timers to enable Wi-Fi, ping the C2 server, register the device with the C2, and register wake locks on the system.
|GPlayed can send SMS messages.
|GPlayed can collect a list of installed applications.
|System Information Discovery
|GPlayed can collect the device’s model, country, and Android version.
|System Network Configuration Discovery
|GPlayed can collect the device’s IMEI, phone number, and country.