1. Home
  2. Software
  3. Desert Scorpion

Desert Scorpion

Desert Scorpion is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. Desert Scorpion is suspected to have been operated by the threat actor APT-C-23.[1]

ID: S0505
Type: MALWARE
Platforms: Android
Version: 1.1
Created: 11 September 2020
Last Modified: 19 April 2021
Mobile Layer
download view

Techniques Used

Domain ID Name Use
Mobile T1432 Access Contact List

Desert Scorpion can collect the device’s contact list.[1]
Mobile T1409 Access Stored Application Data

Desert Scorpion can collect account information stored on the device.[1]
Mobile T1438 Alternate Network Mediums

Desert Scorpion can be controlled using SMS messages.[1]
Mobile T1418 Application Discovery

Desert Scorpion can obtain a list of installed applications.[1]
Mobile T1429 Capture Audio

Desert Scorpion can record audio from phone calls and the device microphone.[1]
Mobile T1512 Capture Camera

Desert Scorpion can record videos.[1]
Mobile T1412 Capture SMS Messages

Desert Scorpion can retrieve SMS messages.[1]
Mobile T1532 Data Encrypted

Desert Scorpion can encrypt exfiltrated data.[1]
Mobile T1533 Data from Local System

Desert Scorpion can collect attacker-specified files, including files located on external storage.[1]

Mobile T1447 Delete Device Data

Desert Scorpion can delete copies of itself if additional APKs are downloaded to external storage.[1]
Mobile T1475 Deliver Malicious App via Authorized App Store

Desert Scorpion has been distributed via the Google Play Store.[1]
Mobile T1407 Download New Code at Runtime

Desert Scorpion has been distributed in multiple stages.[1]
Mobile T1420 File and Directory Discovery

Desert Scorpion can list files stored on external storage.[1]
Mobile T1478 Install Insecure or Malicious Configuration

If running on a Huawei device, Desert Scorpion adds itself to the protected apps list, which allows it to run with the screen off.[1]
Mobile T1430 Location Tracking

Desert Scorpion can track the device’s location.[1]
Mobile T1582 SMS Control

Desert Scorpion can send SMS messages.[1]
Mobile T1508 Suppress Application Icon

Desert Scorpion can hide its icon.[1]
Mobile T1426 System Information Discovery

Desert Scorpion can collect device metadata and can check if the device is rooted.[1]

References

  1. A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.