Skip to content

S0549 SilkBean

SilkBean is a piece of Android surveillanceware containing comprehensive remote access tool (RAT) functionality that has been used in targeting of the Uyghur ethnic group.1

Item Value
ID S0549
Associated Names
Type MALWARE
Version 1.0
Created 24 December 2020
Last Modified 25 April 2025
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols SilkBean has used HTTPS for C2 communication.1
mobile T1533 Data from Local System SilkBean can retrieve files from external storage and can collect browser data.1
mobile T1407 Download New Code at Runtime SilkBean can install new applications which are obtained from the C2 server.1
mobile T1521 Encrypted Channel -
mobile T1521.002 Asymmetric Cryptography SilkBean has used HTTPS for C2 communication.1
mobile T1420 File and Directory Discovery SilkBean can get file lists on the SD card.1
mobile T1630 Indicator Removal on Host -
mobile T1630.002 File Deletion SilkBean can delete various piece of device data, such as contacts, call logs, applications, SMS messages, email, plugins, and files in external storage.1
mobile T1430 Location Tracking SilkBean has access to the device’s location.1
mobile T1655 Masquerading -
mobile T1655.001 Match Legitimate Name or Location SilkBean has been incorporated into trojanized applications, including Uyghur/Arabic focused keyboards, alphabets, and plugins, as well as official-looking Google applications.1
mobile T1406 Obfuscated Files or Information SilkBean has hidden malicious functionality in a second stage file and has encrypted C2 server information.1
mobile T1636 Protected User Data -
mobile T1636.002 Call Log SilkBean can access call logs.1
mobile T1636.003 Contact List SilkBean can access device contacts.1
mobile T1636.004 SMS Messages SilkBean can access SMS messages.1
mobile T1582 SMS Control SilkBean can send SMS messages.1
mobile T1632 Subvert Trust Controls -
mobile T1632.001 Code Signing Policy Modification SilkBean has attempted to trick users into enabling installation of applications from unknown sources.1
mobile T1512 Video Capture SilkBean can access the camera on the device.1

References

  1. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.