GPlayed
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1432 | Access Contact List | ||
| Mobile | T1418 | Application Discovery | ||
| Mobile | T1402 | Broadcast Receivers |
GPlayed can register for the |
|
| Mobile | T1412 | Capture SMS Messages | ||
| Mobile | T1533 | Data from Local System | ||
| Mobile | T1447 | Delete Device Data | ||
| Mobile | T1401 | Device Administrator Permissions | ||
| Mobile | T1446 | Device Lockout |
GPlayed can lock the user out of the device by showing a persistent overlay.[1] |
|
| Mobile | T1407 | Download New Code at Runtime |
GPlayed has the capability to remotely load plugins and download and compile new .NET code.[1] |
|
| Mobile | T1411 | Input Prompt |
GPlayed can show a phishing WebView pretending to be a Google service that collects credit card information.[1] |
|
| Mobile | T1430 | Location Tracking | ||
| Mobile | T1444 | Masquerade as Legitimate Application |
GPlayed has used the Play Store icon as well as the name "Google Play Marketplace".[1] |
|
| Mobile | T1406 | Obfuscated Files or Information |
GPlayed has base64-encoded the exfiltrated data, replacing some of the base64 characters to further obfuscate the data.[1] |
|
| Mobile | T1603 | Scheduled Task/Job |
GPlayed has used timers to enable Wi-Fi, ping the C2 server, register the device with the C2, and register wake locks on the system.[1] |
|
| Mobile | T1582 | SMS Control | ||
| Mobile | T1437 | Standard Application Layer Protocol |
GPlayed has communicated with the C2 using HTTP requests or WebSockets as a backup.[1] |
|
| Mobile | T1426 | System Information Discovery |
GPlayed can collect the device’s model, country, and Android version.[1] |
|
| Mobile | T1422 | System Network Configuration Discovery |
GPlayed can collect the device’s IMEI, phone number, and country.[1] |
|