Skip to content

T1616 Call Control

Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.

Several permissions may be used to programmatically control phone calls, including:

  • ANSWER_PHONE_CALLS - Allows the application to answer incoming phone calls1
  • CALL_PHONE - Allows the application to initiate a phone call without going through the Dialer interface1
  • PROCESS_OUTGOING_CALLS - Allows the application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether1
  • MANAGE_OWN_CALLS - Allows a calling application which manages its own calls through the self-managed ConnectionService APIs1
  • BIND_TELECOM_CONNECTION_SERVICE - Required permission when using a ConnectionService1
  • WRITE_CALL_LOG - Allows an application to write to the device call log, potentially to hide malicious phone calls1

When granted some of these permissions, an application can make a phone call without opening the dialer first. However, if an application desires to simply redirect the user to the dialer with a phone number filled in, it can launch an Intent using Intent.ACTION_DIAL, which requires no specific permissions. This then requires the user to explicitly initiate the call or use some form of Input Injection to programmatically initiate it.

Item Value
ID T1616
Sub-techniques
Tactics TA0035, TA0034, TA0037
Platforms Android
Version 1.2
Created 20 September 2021
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S1214 Android/SpyAgent Android/SpyAgent can execute an automated phone call.14
S0292 AndroRAT AndroRAT can make phone calls.16
S0422 Anubis Anubis can make phone calls.10
S1094 BRATA BRATA can hide incoming calls by setting ring volume to 0 and showing a blank screen overlay.12
S0655 BusyGasper BusyGasper can open a hidden menu when a specific phone number is called from the infected device.8
S0529 CarbonSteal CarbonSteal can silently accept an incoming phone call.9
S1083 Chameleon Chameleon has the ability to control calls.4
S1054 Drinik Drinik can use the Android CallScreeningService to silently block incoming calls.7
S1092 Escobar Escobar can initiate phone calls.5
S1080 Fakecalls Fakecalls can intercept and imitate phone conversations by breaking the connection and displaying a fake call screen. It can also make outgoing calls and spoof incoming calls.13
S1231 GodFather GodFather has requested for the CALL_PHONE permission to initiate phone calls.15
S0407 Monokle Monokle can be controlled via phone call from a set of “control phones.”11
S1195 SpyC23 SpyC23 can make phone calls.32
S1069 TangleBot TangleBot can make and block phone calls.6

Mitigations

ID Mitigation Description
M1011 User Guidance Users should be encouraged to be very careful with what applications they grant phone call-based permissions to. Further, users should not change their default call handler to applications they do not recognize.

References

  1. Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021. 

  2. Delamotte, A. (2023, November 6). Arid Viper | APT’s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024. 

  3. Stefanko, L. (2020, September 30). APT‑C‑23 group evolves its Android spyware. Retrieved March 4, 2024. 

  4. ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025. 

  5. B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023. 

  6. Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023. 

  7. Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024. 

  8. Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021. 

  9. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. 

  10. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024. 

  11. Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. 

  12. Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023. 

  13. Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023. 

  14. Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024. 

  15. Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025. 

  16. Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.