eSurv is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.[1]

ID: S0507
Platforms: Android, iOS
Version: 1.0
Created: 14 September 2020
Last Modified: 14 September 2020

Techniques Used

Domain ID Name Use
Mobile T1432 Access Contact List

eSurv can exfiltrate the device’s contact list.[1]

Mobile T1429 Capture Audio

eSurv can record audio.[1]

Mobile T1533 Data from Local System

eSurv can exfiltrate device pictures.[1]

Mobile T1475 Deliver Malicious App via Authorized App Store

eSurv’s Android version was available in the Google Play Store.[1]

Mobile T1476 Deliver Malicious App via Other Means

eSurv has been distributed via phishing websites with geo-restrictions that allow access to only Italian and Turkmenistani mobile carriers. eSurv can install applications via malicious iOS provisioning profiles containing the developer’s certificate.[1]

Mobile T1407 Download New Code at Runtime

eSurv’s Android version is distributed in three stages: the dropper, the second stage payload, and the third stage payload which is Exodus.[1]

Mobile T1581 Geofencing

eSurv imposes geo-restrictions when delivering the second stage.[1]

Mobile T1430 Location Tracking

eSurv can track the device’s location.[1]

Mobile T1437 Standard Application Layer Protocol

eSurv has exfiltrated data using HTTP PUT requests.[1]

Mobile T1521 Standard Cryptographic Protocol

eSurv’s Android version has used public key encryption and certificate pinning for C2 communication.[1]

Mobile T1426 System Information Discovery

eSurv’s iOS version can collect device information.[1]