Desert Scorpion

Desert Scorpion is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. Desert Scorpion is suspected to have been operated by the threat actor APT-C-23.[1]

ID: S0505
Platforms: Android
Version: 1.1
Created: 11 September 2020
Last Modified: 19 April 2021

Techniques Used

Domain ID Name Use
Mobile T1532 Archive Collected Data

Desert Scorpion can encrypt exfiltrated data.[1]

Mobile T1429 Audio Capture

Desert Scorpion can record audio from phone calls and the device microphone.[1]

Mobile T1533 Data from Local System

Desert Scorpion can collect attacker-specified files, including files located on external storage.[1]

Mobile T1407 Download New Code at Runtime

Desert Scorpion has been distributed in multiple stages.[1]

Mobile T1420 File and Directory Discovery

Desert Scorpion can list files stored on external storage.[1]

Mobile T1628 .001 Hide Artifacts: Suppress Application Icon

Desert Scorpion can hide its icon.[1]

Mobile T1630 .002 Indicator Removal on Host: File Deletion

Desert Scorpion can delete copies of itself if additional APKs are downloaded to external storage.[1]

Mobile T1430 Location Tracking

Desert Scorpion can track the device’s location.[1]

Mobile T1644 Out of Band Data

Desert Scorpion can be controlled using SMS messages.[1]

Mobile T1636 .003 Protected User Data: Contact List

Desert Scorpion can collect the device’s contact list.[1]

.004 Protected User Data: SMS Messages

Desert Scorpion can retrieve SMS messages.[1]

Mobile T1582 SMS Control

Desert Scorpion can send SMS messages.[1]

Mobile T1418 Software Discovery

Desert Scorpion can obtain a list of installed applications.[1]

Mobile T1409 Stored Application Data

Desert Scorpion can collect account information stored on the device.[1]

Mobile T1632 .001 Subvert Trust Controls: Code Signing Policy Modification

If running on a Huawei device, Desert Scorpion adds itself to the protected apps list, which allows it to run with the screen off.[1]

Mobile T1426 System Information Discovery

Desert Scorpion can collect device metadata and can check if the device is rooted.[1]

Mobile T1512 Video Capture

Desert Scorpion can record videos.[1]

Groups That Use This Software

ID Name References
G1028 APT-C-23