ViceLeaker

ViceLeaker is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.[1][2]

ID: S0418
Associated Software: Triout
Type: MALWARE
Platforms: Android
Version: 1.0
Created: 21 November 2019
Last Modified: 26 March 2020

Associated Software Descriptions

Name Description
Triout

[1]

Techniques Used

Domain ID Name Use
Mobile T1437 .001 Application Layer Protocol: Web Protocols

ViceLeaker uses HTTP requests for C2 communication.[1][2]

Mobile T1429 Audio Capture

ViceLeaker can record audio from the device’s microphone and can record phone calls together with the caller ID.[1][2]

Mobile T1533 Data from Local System

ViceLeaker can copy arbitrary files from the device to the C2 server, can exfiltrate browsing history, can exfiltrate the SD card structure, and can exfiltrate pictures as the user takes them.[1][2]

Mobile T1646 Exfiltration Over C2 Channel

ViceLeaker uses HTTP data exfiltration.[1][2]

Mobile T1628 .001 Hide Artifacts: Suppress Application Icon

ViceLeaker includes code to hide its icon, but the function does not appear to be called in an analyzed version of the software.[2]

Mobile T1630 .002 Indicator Removal on Host: File Deletion

ViceLeaker can delete arbitrary files from the device.[1]

Mobile T1544 Ingress Tool Transfer

ViceLeaker can download attacker-specified files.[1]

Mobile T1430 Location Tracking

ViceLeaker can collect location information, including GPS coordinates.[1][2]

Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

ViceLeaker was embedded into legitimate applications using Smali injection.[1]

Mobile T1636 .002 Protected User Data: Call Log

ViceLeaker can collect the device’s call log.[1]

.004 Protected User Data: SMS Messages

ViceLeaker can collect SMS messages.[1]

Mobile T1418 Software Discovery

ViceLeaker can obtain a list of installed applications.[1]

Mobile T1426 System Information Discovery

ViceLeaker collects device information, including the device model and OS version.[1]

Mobile T1512 Video Capture

ViceLeaker can take photos from both the front and back cameras.[1]

References