Pallas is mobile surveillanceware that was custom-developed by Dark Caracal.[1]

ID: S0399
Platforms: Android
Version: 1.1
Created: 10 July 2019
Last Modified: 18 September 2019

Techniques Used

Domain ID Name Use
Mobile T1433 Access Call Log

Pallas accesses and exfiltrates the call log.[1]

Mobile T1432 Access Contact List

Pallas accesses the device contact list.[1]

Mobile T1409 Access Stored Application Data

Pallas retrieves messages and decryption keys for popular messaging applications and other accounts stored on the device.[1]

Mobile T1418 Application Discovery

Pallas retrieves a list of all applications installed on the device.[1]

Mobile T1429 Capture Audio

Pallas captures audio from the device microphone.[1]

Mobile T1512 Capture Camera

Pallas can take pictures with both the front and rear-facing cameras.[1]

Mobile T1412 Capture SMS Messages

Pallas captures and exfiltrates all SMS messages, including future messages as they are received.[1]

Mobile T1447 Delete Device Data

Pallas has the ability to delete attacker-specified files from compromised devices.[1]

Mobile T1476 Deliver Malicious App via Other Means

Pallas has the ability to download and install attacker-specified applications.[1]

Mobile T1411 Input Prompt

Pallas uses phishing popups to harvest user credentials.[1]

Mobile T1430 Location Tracking

Pallas tracks the latitude and longitude coordinates of the infected device.[1]

Mobile T1507 Network Information Discovery

Pallas gathers and exfiltrates data about nearby Wi-Fi access points.[1]

Mobile T1406 Obfuscated Files or Information

Pallas stores domain information and URL paths as hardcoded AES-encrypted, base64-encoded strings.[1]

Mobile T1437 Standard Application Layer Protocol

Pallas exfiltrates data using HTTP.[1]

Mobile T1426 System Information Discovery

Pallas queries the device for metadata, such as device ID, OS version, and the number of cameras.[1]

Groups That Use This Software

ID Name References
G0070 Dark Caracal