1. Home
  2. Software
  3. Desert Scorpion

Desert Scorpion

Desert Scorpion is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. Desert Scorpion is suspected to have been operated by the threat actor APT-C-23.[1]

ID: S0505
Type: MALWARE
Platforms: Android
Version: 1.1
Created: 11 September 2020
Last Modified: 19 April 2021
Version Permalink
Mobile Layer
download view

Techniques Used

Domain ID Name Use
Mobile T1532 Archive Collected Data

Desert Scorpion can encrypt exfiltrated data.[1]
Mobile T1429 Audio Capture

Desert Scorpion can record audio from phone calls and the device microphone.[1]
Mobile T1533 Data from Local System

Desert Scorpion can collect attacker-specified files, including files located on external storage.[1]

Mobile T1407 Download New Code at Runtime

Desert Scorpion has been distributed in multiple stages.[1]
Mobile T1420 File and Directory Discovery

Desert Scorpion can list files stored on external storage.[1]
Mobile T1628 .001 Hide Artifacts: Suppress Application Icon

Desert Scorpion can hide its icon.[1]
Mobile T1630 .002 Indicator Removal on Host: File Deletion

Desert Scorpion can delete copies of itself if additional APKs are downloaded to external storage.[1]
Mobile T1430 Location Tracking

Desert Scorpion can track the device’s location.[1]
Mobile T1644 Out of Band Data

Desert Scorpion can be controlled using SMS messages.[1]
Mobile T1636 .003 Protected User Data: Contact List

Desert Scorpion can collect the device’s contact list.[1]
.004 Protected User Data: SMS Messages

Desert Scorpion can retrieve SMS messages.[1]
Mobile T1582 SMS Control

Desert Scorpion can send SMS messages.[1]
Mobile T1418 Software Discovery

Desert Scorpion can obtain a list of installed applications.[1]
Mobile T1409 Stored Application Data

Desert Scorpion can collect account information stored on the device.[1]
Mobile T1632 .001 Subvert Trust Controls: Code Signing Policy Modification

If running on a Huawei device, Desert Scorpion adds itself to the protected apps list, which allows it to run with the screen off.[1]
Mobile T1426 System Information Discovery

Desert Scorpion can collect device metadata and can check if the device is rooted.[1]
Mobile T1512 Video Capture

Desert Scorpion can record videos.[1]

Groups That Use This Software

ID Name References
G1028 APT-C-23

References

  1. A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.