S0577 FrozenCell
FrozenCell is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and Micropsia.1
| Item | Value |
|---|---|
| ID | S0577 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 17 February 2021 |
| Last Modified | 19 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1532 | Archive Collected Data | FrozenCell has compressed and encrypted data before exfiltration using password protected .7z archives.1 |
| mobile | T1429 | Audio Capture | FrozenCell has recorded calls.1 |
| mobile | T1533 | Data from Local System | FrozenCell has retrieved device images for exfiltration.1 |
| mobile | T1407 | Download New Code at Runtime | FrozenCell has downloaded and installed additional applications.1 |
| mobile | T1420 | File and Directory Discovery | FrozenCell has searched for pdf, doc, docx, ppt, pptx, xls, and xlsx file types for exfiltration.1 |
| mobile | T1430 | Location Tracking | FrozenCell has used an online cell tower geolocation service to track targets.1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.004 | SMS Messages | FrozenCell has read SMS messages for exfiltration.1 |
| mobile | T1409 | Stored Application Data | FrozenCell has retrieved account information for other applications.1 |
| mobile | T1426 | System Information Discovery | FrozenCell has gathered the device manufacturer, model, and serial number.1 |
| mobile | T1422 | System Network Configuration Discovery | FrozenCell has collected phone metadata such as cell location, mobile country code (MCC), and mobile network code (MNC).1 |