ViperRAT is sophisticated surveillanceware that has been in operation since at least 2015 and was used to target the Israeli Defense Force.[1]

ID: S0506
Platforms: Android
Version: 1.0
Created: 11 September 2020
Last Modified: 29 September 2020

Techniques Used

Domain ID Name Use
Mobile T1429 Audio Capture

ViperRAT can collect and record audio content.[1]

Mobile T1533 Data from Local System

ViperRAT can collect device photos, PDF documents, Office documents, browser history, and browser bookmarks.[1]

Mobile T1407 Download New Code at Runtime

ViperRAT has been installed in two stages and can secretly install new applications.[1]

Mobile T1430 Location Tracking

ViperRAT can track the device’s location.[1]

Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

ViperRAT’s second stage has masqueraded as "System Updates", "Viber Update", and "WhatsApp Update".[1]

Mobile T1636 .002 Protected User Data: Call Log

ViperRAT can collect the device’s call log.[1]

.003 Protected User Data: Contact List

ViperRAT can collect the device’s contact list.[1]

.004 Protected User Data: SMS Messages

ViperRAT can collect SMS messages.[1]

Mobile T1426 System Information Discovery

ViperRAT can collect system information, including brand, manufacturer, and serial number.[1]

Mobile T1422 System Network Configuration Discovery

ViperRAT can collect network configuration data from the device, including phone number, SIM operator, and network operator.[1]

Mobile T1421 System Network Connections Discovery

ViperRAT can collect the device’s cell tower information.[1]

Mobile T1512 Video Capture

ViperRAT can take photos with the device camera.[1]