Skip to content

T1616 Call Control

Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.

Several permissions may be used to programmatically control phone calls, including:

  • ANSWER_PHONE_CALLS - Allows the application to answer incoming phone calls1
  • CALL_PHONE - Allows the application to initiate a phone call without going through the Dialer interface1
  • PROCESS_OUTGOING_CALLS - Allows the application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether1
  • MANAGE_OWN_CALLS - Allows a calling application which manages its own calls through the self-managed ConnectionService APIs1
  • BIND_TELECOM_CONNECTION_SERVICE - Required permission when using a ConnectionService1
  • WRITE_CALL_LOG - Allows an application to write to the device call log, potentially to hide malicious phone calls1

When granted some of these permissions, an application can make a phone call without opening the dialer first. However, if an application desires to simply redirect the user to the dialer with a phone number filled in, it can launch an Intent using Intent.ACTION_DIAL, which requires no specific permissions. This then requires the user to explicitly initiate the call or use some form of Input Injection to programmatically initiate it.

Item Value
ID T1616
Tactics TA0035, TA0034, TA0037
Platforms Android
Version 1.1
Created 20 September 2021
Last Modified 16 March 2023

Procedure Examples

ID Name Description
S0422 Anubis Anubis can make phone calls.2
S0655 BusyGasper BusyGasper can open a hidden menu when a specific phone number is called from the infected device.3
S0529 CarbonSteal CarbonSteal can silently accept an incoming phone call.6
S1054 Drinik Drinik can use the Android CallScreeningService to silently block incoming calls.5
S0407 Monokle Monokle can be controlled via phone call from a set of “control phones.”4
S1069 TangleBot TangleBot can make and block phone calls.7


ID Mitigation Description
M1011 User Guidance Users should be encouraged to be very careful with what applications they grant phone call-based permissions to. Further, users should not change their default call handler to applications they do not recognize.


ID Data Source Data Component
DS0041 Application Vetting Permissions Requests
DS0042 User Interface System Settings