1. Home
  2. Techniques
  3. Mobile
  4. Call Control

Call Control

Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.

Several permissions may be used to programmatically control phone calls, including:

  • ANSWER_PHONE_CALLS - Allows the application to answer incoming phone calls[1]
  • CALL_PHONE - Allows the application to initiate a phone call without going through the Dialer interface[1]
  • PROCESS_OUTGOING_CALLS - Allows the application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether[1]
  • MANAGE_OWN_CALLS - Allows a calling application which manages its own calls through the self-managed ConnectionService APIs[1]
  • BIND_TELECOM_CONNECTION_SERVICE - Required permission when using a ConnectionService[1]
  • WRITE_CALL_LOG - Allows an application to write to the device call log, potentially to hide malicious phone calls[1]

When granted some of these permissions, an application can make a phone call without opening the dialer first. However, if an application desires to simply redirect the user to the dialer with a phone number filled in, it can launch an Intent using Intent.ACTION_DIAL, which requires no specific permissions. This then requires the user to explicitly initiate the call or use some form of Input Injection to programmatically initiate it.

ID: T1616
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Platforms: Android
MTC ID: APP-41, CEL-42, CEL-36, CEL-18
Contributors: Gaetan van Diemen, ThreatFabric
Version: 1.0
Created: 20 September 2021
Last Modified: 27 September 2021
Provided by LAYER 8

Procedure Examples

ID Name Description
S0422 Anubis

Anubis can make phone calls.[2]
S0655 BusyGasper

BusyGasper can open a hidden menu when a specific phone number is called from the infected device.[3]
S0529 CarbonSteal

CarbonSteal can silently accept an incoming phone call.[4]
S0407 Monokle

Monokle can be controlled via phone call from a set of "control phones."[5]

Mitigations

ID Mitigation Description
M1005 Application Vetting

Application vetting services could provide further scrutiny to applications that request permissions related to phone calls.
M1011 User Guidance

Users should be encouraged to be very careful with what applications they grant phone call-based permissions to. Further, users should not change their default call handler to applications they do not recognize.

Detection

Users can view their default phone app in device settings. Users can review available call logs for irregularities, such as missing or unrecognized calls.

References

  1. Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021.
  2. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020.
  3. Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.
  1. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.
  2. Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.