ViceLeaker is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.[1][2]

ID: S0418
Associated Software: Triout
Platforms: Android
Version: 1.0
Created: 21 November 2019
Last Modified: 26 March 2020

Associated Software Descriptions

Name Description


Techniques Used

Domain ID Name Use
Mobile T1433 Access Call Log

ViceLeaker can collect the device’s call log.[1]

Mobile T1418 Application Discovery

ViceLeaker can obtain a list of installed applications.[1]

Mobile T1429 Capture Audio

ViceLeaker can record audio from the device’s microphone and can record phone calls together with the caller ID.[1][2]

Mobile T1512 Capture Camera

ViceLeaker can take photos from both the front and back cameras.[1]

Mobile T1412 Capture SMS Messages

ViceLeaker can collect SMS messages.[1]

Mobile T1533 Data from Local System

ViceLeaker can copy arbitrary files from the device to the C2 server, can exfiltrate browsing history, can exfiltrate the SD card structure, and can exfiltrate pictures as the user takes them.[1][2]

Mobile T1447 Delete Device Data

ViceLeaker can delete arbitrary files from the device.[1]

Mobile T1476 Deliver Malicious App via Other Means

ViceLeaker was primarily distributed via Telegram and WhatsApp messages.[1]

Mobile T1430 Location Tracking

ViceLeaker can collect location information, including GPS coordinates.[1][2]

Mobile T1444 Masquerade as Legitimate Application

ViceLeaker was embedded into legitimate applications using Smali injection.[1]

Mobile T1544 Remote File Copy

ViceLeaker can download attacker-specified files.[1]

Mobile T1437 Standard Application Layer Protocol

ViceLeaker uses HTTP for C2 communication and data exfiltration.[1][2]

Mobile T1508 Suppress Application Icon

ViceLeaker includes code to hide its icon, but the function does not appear to be called in an analyzed version of the software.[2]

Mobile T1426 System Information Discovery

ViceLeaker collects device information, including the device model and OS version.[1]