mobile |
T1437 |
Application Layer Protocol |
DoubleAgent has used both FTP and TCP sockets for data exfiltration. |
mobile |
T1429 |
Audio Capture |
DoubleAgent has captured audio and can record phone calls. |
mobile |
T1623 |
Command and Scripting Interpreter |
- |
mobile |
T1623.001 |
Unix Shell |
DoubleAgent can run arbitrary shell commands. |
mobile |
T1645 |
Compromise Client Software Binary |
DoubleAgent has used exploits to root devices and install additional malware on the system partition. |
mobile |
T1533 |
Data from Local System |
DoubleAgent has collected files from the infected device. |
mobile |
T1407 |
Download New Code at Runtime |
DoubleAgent has downloaded additional code to root devices, such as TowelRoot. |
mobile |
T1404 |
Exploitation for Privilege Escalation |
DoubleAgent has used exploit tools to gain root, such as TowelRoot. |
mobile |
T1420 |
File and Directory Discovery |
DoubleAgent has searched for specific existing data directories, including the Gmail app, Dropbox app, Pictures, and thumbnails. |
mobile |
T1628 |
Hide Artifacts |
- |
mobile |
T1628.001 |
Suppress Application Icon |
DoubleAgent has hidden its app icon. |
mobile |
T1630 |
Indicator Removal on Host |
- |
mobile |
T1630.002 |
File Deletion |
DoubleAgent has deleted or renamed specific files. |
mobile |
T1406 |
Obfuscated Files or Information |
DoubleAgent has used an AES encrypted file in the assets folder with an unsuspecting name (e.g. ‘GoogleMusic.png’) for holding configuration and C2 information. |
mobile |
T1636 |
Protected User Data |
- |
mobile |
T1636.002 |
Call Log |
DoubleAgent has accessed the call logs. |
mobile |
T1636.003 |
Contact List |
DoubleAgent has accessed the contact list. |
mobile |
T1636.004 |
SMS Messages |
DoubleAgent has captured SMS and MMS messages. |
mobile |
T1418 |
Software Discovery |
DoubleAgent has accessed the list of installed apps. |
mobile |
T1409 |
Stored Application Data |
DoubleAgent has accessed browser history, as well as the files for 15 other apps. |
mobile |
T1426 |
System Information Discovery |
DoubleAgent has accessed common system information. |