Skip to content

S0551 GoldenEagle

GoldenEagle is a piece of Android malware that has been used in targeting of Uyghurs, Muslims, Tibetans, individuals in Turkey, and individuals in China. Samples have been found as early as 2012.1

Item Value
ID S0551
Associated Names
Version 1.0
Created 24 December 2020
Last Modified 25 March 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1433 Access Call Log GoldenEagle has collected call logs.1
mobile T1432 Access Contact List GoldenEagle has collected a list of contacts.1
mobile T1409 Access Stored Application Data GoldenEagle has extracted messages from chat programs, such as WeChat.1
mobile T1418 Application Discovery GoldenEagle has collected a list of installed application names.1
mobile T1429 Capture Audio GoldenEagle has recorded calls and environment audio in .amr format.1
mobile T1512 Capture Camera GoldenEagle has taken photos with the device camera.1
mobile T1412 Capture SMS Messages GoldenEagle has collected SMS messages.1
mobile T1533 Data from Local System GoldenEagle has retrieved .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files from external storage.1
mobile T1407 Download New Code at Runtime GoldenEagle can download new code to update itself.1
mobile T1420 File and Directory Discovery GoldenEagle has looked for .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files on external storage.1
mobile T1478 Install Insecure or Malicious Configuration GoldenEagle has modified or configured proxy information.1
mobile T1430 Location Tracking GoldenEagle has tracked location.1
mobile T1444 Masquerade as Legitimate Application GoldenEagle has inserted trojan functionality into legitimate apps, including popular apps within the Uyghur community, VPNs, instant messaging apps, social networking, games, adult media, and Google searching.1
mobile T1513 Screen Capture GoldenEagle has taken screenshots.1
mobile T1582 SMS Control GoldenEagle has sent messages to an attacker-controlled number.1
mobile T1437 Standard Application Layer Protocol GoldenEagle has exfiltrated data via both SMTP and HTTP and used HTTP POST requests for C2.1
mobile T1426 System Information Discovery GoldenEagle has checked for system root.1


Back to top