Skip to content

S0550 DoubleAgent

DoubleAgent is a family of RAT malware dating back to 2013, known to target groups with contentious relationships with the Chinese government.1

Item Value
ID S0550
Associated Names
Type MALWARE
Version 1.0
Created 24 December 2020
Last Modified 19 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1433 Access Call Log DoubleAgent has accessed the call logs.1
mobile T1432 Access Contact List DoubleAgent has accessed the contact list.1
mobile T1409 Access Stored Application Data DoubleAgent has accessed browser history, as well as the files for 15 other apps.1
mobile T1418 Application Discovery DoubleAgent has accessed the list of installed apps.1
mobile T1429 Capture Audio DoubleAgent has captured audio and can record phone calls.1
mobile T1412 Capture SMS Messages DoubleAgent has captured SMS and MMS messages.1
mobile T1605 Command-Line Interface DoubleAgent can run arbitrary shell commands.1
mobile T1533 Data from Local System DoubleAgent has collected files from the infected device.1
mobile T1447 Delete Device Data DoubleAgent has deleted or renamed specific files.1
mobile T1407 Download New Code at Runtime DoubleAgent has downloaded additional code to root devices, such as TowelRoot.1
mobile T1404 Exploit OS Vulnerability DoubleAgent has used exploit tools to gain root, such as TowelRoot.1
mobile T1420 File and Directory Discovery DoubleAgent has searched for specific existing data directories, including the Gmail app, Dropbox app, Pictures, and thumbnails.1
mobile T1444 Masquerade as Legitimate Application DoubleAgent has been embedded into trojanized versions of applications such as Voxer, TalkBox, and Amaq News.1
mobile T1400 Modify System Partition DoubleAgent has used exploits to root devices and install additional malware on the /system partition.1
mobile T1406 Obfuscated Files or Information DoubleAgent has used an AES encrypted file in the assets folder with an unsuspecting name (e.g. ‘GoogleMusic.png’) for holding configuration and C2 information.1
mobile T1437 Standard Application Layer Protocol DoubleAgent has used both FTP and TCP sockets for data exfiltration.1
mobile T1508 Suppress Application Icon DoubleAgent has hidden its app icon.1
mobile T1426 System Information Discovery DoubleAgent has accessed common system information.1

References

  1. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. 

Back to top