| mobile |
T1429 |
Audio Capture |
BusyGasper can record audio. |
| mobile |
T1616 |
Call Control |
BusyGasper can open a hidden menu when a specific phone number is called from the infected device. |
| mobile |
T1623 |
Command and Scripting Interpreter |
- |
| mobile |
T1623.001 |
Unix Shell |
BusyGasper can run shell commands. |
| mobile |
T1645 |
Compromise Client Software Binary |
BusyGasper can abuse existing root access to copy components into the system partition. |
| mobile |
T1533 |
Data from Local System |
BusyGasper can collect images stored on the device and browser history. |
| mobile |
T1407 |
Download New Code at Runtime |
BusyGasper can download a payload or updates from either its C2 server or email attachments in the adversary’s inbox. |
| mobile |
T1639 |
Exfiltration Over Alternative Protocol |
- |
| mobile |
T1639.001 |
Exfiltration Over Unencrypted Non-C2 Protocol |
BusyGasper can download text files with commands from an FTP server and exfiltrate data via email. |
| mobile |
T1628 |
Hide Artifacts |
- |
| mobile |
T1628.001 |
Suppress Application Icon |
BusyGasper can hide its icon. |
| mobile |
T1628.002 |
User Evasion |
BusyGasper can utilize the device’s sensors to determine when the device is in use and subsequently hide malicious activity. When active, it attempts to hide its malicious activity by turning the screen’s brightness as low as possible and muting the device. |
| mobile |
T1417 |
Input Capture |
- |
| mobile |
T1417.001 |
Keylogging |
BusyGasper can collect every user screen tap and compare the input to a hardcoded list of coordinates to translate the input to a character. |
| mobile |
T1430 |
Location Tracking |
BusyGasper can collect the device’s location information based on cellular network or GPS coordinates. |
| mobile |
T1644 |
Out of Band Data |
BusyGasper can perform actions when one of two hardcoded magic SMS strings is received. |
| mobile |
T1636 |
Protected User Data |
- |
| mobile |
T1636.004 |
SMS Messages |
BusyGasper can collect SMS messages. |
| mobile |
T1513 |
Screen Capture |
BusyGasper can use its keylogger module to take screenshots of the area of the screen that the user tapped. |
| mobile |
T1582 |
SMS Control |
BusyGasper can send an SMS message after the device boots, messages containing logs, messages to adversary-specified numbers with custom content, and can delete all SMS messages on the device. |
| mobile |
T1409 |
Stored Application Data |
BusyGasper can collect data from messaging applications, including WhatsApp, Viber, and Facebook. |
| mobile |
T1512 |
Video Capture |
BusyGasper can record from the device’s camera. |
| mobile |
T1481 |
Web Service |
- |
| mobile |
T1481.002 |
Bidirectional Communication |
BusyGasper can be controlled via IRC using freenode.net servers. |