FrozenCell

FrozenCell is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and Micropsia.[1]

ID: S0577
Type: MALWARE
Platforms: Android
Version: 1.0
Created: 17 February 2021
Last Modified: 19 April 2021

Techniques Used

Domain ID Name Use
Mobile T1409 Access Stored Application Data

FrozenCell has retrieved account information for other applications.[1]

Mobile T1429 Capture Audio

FrozenCell has recorded calls.[1]

Mobile T1412 Capture SMS Messages

FrozenCell has read SMS messages for exfiltration.[1]

Mobile T1532 Data Encrypted

FrozenCell has compressed and encrypted data before exfiltration using password protected .7z archives.[1]

Mobile T1533 Data from Local System

FrozenCell has retrieved device images for exfiltration.[1]

Mobile T1407 Download New Code at Runtime

FrozenCell has downloaded and installed additional applications.[1]

Mobile T1420 File and Directory Discovery

FrozenCell has searched for pdf, doc, docx, ppt, pptx, xls, and xlsx file types for exfiltration.[1]

Mobile T1430 Location Tracking

FrozenCell has used an online cell tower geolocation service to track targets.[1]

Mobile T1444 Masquerade as Legitimate Application

FrozenCell has masqueraded as fake updates to chat applications such as Facebook, WhatsApp, Messenger, LINE, and LoveChat, as well as apps targeting Middle Eastern demographics.[1]

Mobile T1426 System Information Discovery

FrozenCell has gathered the device manufacturer, model, and serial number.[1]

Mobile T1422 System Network Configuration Discovery

FrozenCell has collected phone metadata such as cell location, mobile country code (MCC), and mobile network code (MNC).[1]

References