Pallas is mobile surveillanceware that was custom-developed by Dark Caracal.[1]

ID: S0399
Platforms: Android
Version: 1.1
Created: 10 July 2019
Last Modified: 18 September 2019

Techniques Used

Domain ID Name Use
Mobile T1429 Audio Capture

Pallas captures audio from the device microphone.[1]

Mobile T1646 Exfiltration Over C2 Channel

Pallas exfiltrates data using HTTP.[1]

Mobile T1630 .002 Indicator Removal on Host: File Deletion

Pallas has the ability to delete attacker-specified files from compromised devices.[1]

Mobile T1417 .002 Input Capture: GUI Input Capture

Pallas uses phishing popups to harvest user credentials.[1]

Mobile T1430 Location Tracking

Pallas tracks the latitude and longitude coordinates of the infected device.[1]

Mobile T1406 Obfuscated Files or Information

Pallas stores domain information and URL paths as hardcoded AES-encrypted, base64-encoded strings.[1]

Mobile T1636 .002 Protected User Data: Call Log

Pallas accesses and exfiltrates the call log.[1]

.003 Protected User Data: Contact List

Pallas accesses the device contact list.[1]

.004 Protected User Data: SMS Messages

Pallas captures and exfiltrates all SMS messages, including future messages as they are received.[1]

Mobile T1418 Software Discovery

Pallas retrieves a list of all applications installed on the device.[1]

Mobile T1409 Stored Application Data

Pallas retrieves messages and decryption keys for popular messaging applications and other accounts stored on the device.[1]

Mobile T1426 System Information Discovery

Pallas queries the device for metadata, such as device ID, OS version, and the number of cameras.[1]

Mobile T1421 System Network Connections Discovery

Pallas gathers and exfiltrates data about nearby Wi-Fi access points.[1]

Mobile T1512 Video Capture

Pallas can take pictures with both the front and rear-facing cameras.[1]

Groups That Use This Software

ID Name References
G0070 Dark Caracal