T1616 Call Control
Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.
Several permissions may be used to programmatically control phone calls, including:
ANSWER_PHONE_CALLS- Allows the application to answer incoming phone calls1CALL_PHONE- Allows the application to initiate a phone call without going through the Dialer interface1PROCESS_OUTGOING_CALLS- Allows the application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether1MANAGE_OWN_CALLS- Allows a calling application which manages its own calls through the self-managedConnectionServiceAPIs1BIND_TELECOM_CONNECTION_SERVICE- Required permission when using aConnectionService1WRITE_CALL_LOG- Allows an application to write to the device call log, potentially to hide malicious phone calls1
When granted some of these permissions, an application can make a phone call without opening the dialer first. However, if an application desires to simply redirect the user to the dialer with a phone number filled in, it can launch an Intent using Intent.ACTION_DIAL, which requires no specific permissions. This then requires the user to explicitly initiate the call or use some form of Input Injection to programmatically initiate it.
| Item | Value |
|---|---|
| ID | T1616 |
| Sub-techniques | |
| Tactics | TA0035, TA0034, TA0037 |
| Platforms | Android |
| Version | 1.1 |
| Created | 20 September 2021 |
| Last Modified | 16 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0422 | Anubis | Anubis can make phone calls.2 |
| S0655 | BusyGasper | BusyGasper can open a hidden menu when a specific phone number is called from the infected device.3 |
| S0529 | CarbonSteal | CarbonSteal can silently accept an incoming phone call.6 |
| S1054 | Drinik | Drinik can use the Android CallScreeningService to silently block incoming calls.5 |
| S0407 | Monokle | Monokle can be controlled via phone call from a set of “control phones.”4 |
| S1069 | TangleBot | TangleBot can make and block phone calls.7 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1011 | User Guidance | Users should be encouraged to be very careful with what applications they grant phone call-based permissions to. Further, users should not change their default call handler to applications they do not recognize. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0041 | Application Vetting | Permissions Requests |
| DS0042 | User Interface | System Settings |
References
-
Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021. ↩↩↩↩↩↩
-
M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020. ↩
-
Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021. ↩
-
Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. ↩
-
Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023. ↩
-
A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. ↩
-
Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023. ↩