FrozenCell
FrozenCell is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and Micropsia.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1409 | Access Stored Application Data |
FrozenCell has retrieved account information for other applications.[1] |
|
| Mobile | T1429 | Capture Audio |
FrozenCell has recorded calls.[1] |
|
| Mobile | T1412 | Capture SMS Messages |
FrozenCell has read SMS messages for exfiltration.[1] |
|
| Mobile | T1532 | Data Encrypted |
FrozenCell has compressed and encrypted data before exfiltration using password protected .7z archives.[1] |
|
| Mobile | T1533 | Data from Local System |
FrozenCell has retrieved device images for exfiltration.[1] |
|
| Mobile | T1407 | Download New Code at Runtime |
FrozenCell has downloaded and installed additional applications.[1] |
|
| Mobile | T1420 | File and Directory Discovery |
FrozenCell has searched for pdf, doc, docx, ppt, pptx, xls, and xlsx file types for exfiltration.[1] |
|
| Mobile | T1430 | Location Tracking |
FrozenCell has used an online cell tower geolocation service to track targets.[1] |
|
| Mobile | T1444 | Masquerade as Legitimate Application |
FrozenCell has masqueraded as fake updates to chat applications such as Facebook, WhatsApp, Messenger, LINE, and LoveChat, as well as apps targeting Middle Eastern demographics.[1] |
|
| Mobile | T1426 | System Information Discovery |
FrozenCell has gathered the device manufacturer, model, and serial number.[1] |
|
| Mobile | T1422 | System Network Configuration Discovery |
FrozenCell has collected phone metadata such as cell location, mobile country code (MCC), and mobile network code (MNC).[1] |
|