|Application Layer Protocol
|DoubleAgent has used both FTP and TCP sockets for data exfiltration.
|DoubleAgent has captured audio and can record phone calls.
|Command and Scripting Interpreter
|DoubleAgent can run arbitrary shell commands.
|Compromise Client Software Binary
|DoubleAgent has used exploits to root devices and install additional malware on the system partition.
|Data from Local System
|DoubleAgent has collected files from the infected device.
|Download New Code at Runtime
|DoubleAgent has downloaded additional code to root devices, such as TowelRoot.
|Exploitation for Privilege Escalation
|DoubleAgent has used exploit tools to gain root, such as TowelRoot.
|File and Directory Discovery
|DoubleAgent has searched for specific existing data directories, including the Gmail app, Dropbox app, Pictures, and thumbnails.
|Suppress Application Icon
|DoubleAgent has hidden its app icon.
|Indicator Removal on Host
|DoubleAgent has deleted or renamed specific files.
|Obfuscated Files or Information
|DoubleAgent has used an AES encrypted file in the assets folder with an unsuspecting name (e.g. ‘GoogleMusic.png’) for holding configuration and C2 information.
|Protected User Data
|DoubleAgent has accessed the call logs.
|DoubleAgent has accessed the contact list.
|DoubleAgent has captured SMS and MMS messages.
|DoubleAgent has accessed the list of installed apps.
|Stored Application Data
|DoubleAgent has accessed browser history, as well as the files for 15 other apps.
|System Information Discovery
|DoubleAgent has accessed common system information.