CarbonSteal is one of a family of four surveillanceware tools that share a common C2 infrastructure. CarbonSteal primarily deals with audio surveillance. [1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Mobile | T1409 | Access Stored Application Data |
CarbonSteal can collect notes and data from the MiCode app.[1] |
|
Mobile | T1438 | Alternate Network Mediums |
CarbonSteal has used specially crafted SMS messages to control the target device.[1] |
|
Mobile | T1418 | Application Discovery |
CarbonSteal has looked for specific applications, such as MiCode.[1] |
|
Mobile | T1616 | Call Control |
CarbonSteal can silently accept an incoming phone call.[1] |
|
Mobile | T1429 | Capture Audio |
CarbonSteal can remotely capture device audio.[1] |
|
Mobile | T1412 | Capture SMS Messages |
CarbonSteal can access the device’s SMS and MMS messages.[1] |
|
Mobile | T1447 | Delete Device Data |
CarbonSteal has deleted call log entries coming from known C2 sources.[1] |
|
Mobile | T1407 | Download New Code at Runtime |
CarbonSteal can dynamically load additional functionality.[1] |
|
Mobile | T1420 | File and Directory Discovery |
CarbonSteal has searched device storage for various files, including .amr files (audio recordings) and superuser binaries.[1] |
|
Mobile | T1430 | Location Tracking |
CarbonSteal can access the device’s location and track the device over time.[1] |
|
Mobile | T1444 | Masquerade as Legitimate Application |
CarbonSteal has impersonated several apps, including official Google apps, chat apps, VPN apps, and popular games.[1] |
|
Mobile | T1575 | Native Code |
CarbonSteal has seen native libraries used in some reported samples [1] |
|
Mobile | T1406 | Obfuscated Files or Information |
CarbonSteal has used incorrect file extensions and encryption to hide most of its assets, including secondary APKs, configuration files, and JAR or DEX files.[1] |
|
Mobile | T1521 | Standard Cryptographic Protocol |
CarbonSteal has performed rudimentary SSL certificate validation to verify C2 server authenticity before establishing a SSL connection.[1] |
|
Mobile | T1426 | System Information Discovery |
CarbonSteal has gathered device metadata, including model, manufacturer, SD card size, disk usage, memory, CPU, and serial number.[1] |
|
Mobile | T1422 | System Network Configuration Discovery |
CarbonSteal has collected device network information, including 16-bit GSM Cell Identity, 16-bit Location Area Code, Mobile Country Code (MCC), and Mobile Network Code (MNC). CarbonSteal has also called |