Desert Scorpion

Desert Scorpion is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. Desert Scorpion is suspected to have been operated by the threat actor APT-C-23.[1]

ID: S0505
Type: MALWARE
Platforms: Android
Version: 1.0
Created: 11 September 2020
Last Modified: 11 September 2020

Techniques Used

Domain ID Name Use
Mobile T1432 Access Contact List

Desert Scorpion can collect the device’s contact list.[1]

Mobile T1409 Access Stored Application Data

Desert Scorpion can collect account information stored on the device.[1]

Mobile T1438 Alternate Network Mediums

Desert Scorpion can be controlled using SMS messages.[1]

Mobile T1418 Application Discovery

Desert Scorpion can obtain a list of installed applications.[1]

Mobile T1429 Capture Audio

Desert Scorpion can record audio from phone calls and the device microphone.[1]

Mobile T1512 Capture Camera

Desert Scorpion can record videos.[1]

Mobile T1412 Capture SMS Messages

Desert Scorpion can retrieve SMS messages.[1]

Mobile T1532 Data Encrypted

Desert Scorpion can encrypt exfiltrated data.[1]

Mobile T1533 Data from Local System

Desert Scorpion can collect files located in external storage.[1]

Mobile T1447 Delete Device Data

Desert Scorpion can delete copies of itself if additional APKs are downloaded to external storage.[1]

Mobile T1475 Deliver Malicious App via Authorized App Store

Desert Scorpion has been distributed via the Google Play Store.[1]

Mobile T1407 Download New Code at Runtime

Desert Scorpion has been distributed in multiple stages.[1]

Mobile T1420 File and Directory Discovery

Desert Scorpion can list files stored on external storage.[1]

Mobile T1478 Install Insecure or Malicious Configuration

If running on a Huawei device, Desert Scorpion adds itself to the protected apps list, which allows it to run with the screen off.[1]

Mobile T1430 Location Tracking

Desert Scorpion can track the device’s location.[1]

Mobile T1544 Remote File Copy

Desert Scorpion can upload attacker-specified files to the C2 server.[1]

Mobile T1582 SMS Control

Desert Scorpion can send SMS messages.[1]

Mobile T1508 Suppress Application Icon

Desert Scorpion can hide its icon.[1]

Mobile T1426 System Information Discovery

Desert Scorpion can collect device metadata and can check if the device is rooted.[1]

References