eSurv

eSurv is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.[1]

ID: S0507
Type: MALWARE
Platforms: Android, iOS
Version: 1.1
Created: 14 September 2020
Last Modified: 29 March 2024

Techniques Used

Domain ID Name Use
Mobile T1429 Audio Capture

eSurv can record audio.[1]

Mobile T1533 Data from Local System

eSurv can exfiltrate device pictures.[1]

Mobile T1407 Download New Code at Runtime

eSurv’s Android version is distributed in three stages: the dropper, the second stage payload, and the third stage payload which is Exodus.[1]

Mobile T1521 .002 Encrypted Channel: Asymmetric Cryptography

eSurv’s Android version has used public key encryption for C2 communication.[1]

.003 Encrypted Channel: SSL Pinning

eSurv’s Android version has used certificate pinning for C2 communication.[1]

Mobile T1627 .001 Execution Guardrails: Geofencing

eSurv imposes geo-restrictions when delivering the second stage.[1]

Mobile T1646 Exfiltration Over C2 Channel

eSurv has exfiltrated data using HTTP PUT requests.[1]

Mobile T1430 Location Tracking

eSurv can track the device’s location.[1]

Mobile T1636 .003 Protected User Data: Contact List

eSurv can exfiltrate the device’s contact list.[1]

Mobile T1426 System Information Discovery

eSurv’s iOS version can collect device information.[1]

References