CarbonSteal is one of a family of four surveillanceware tools that share a common C2 infrastructure. CarbonSteal primarily deals with audio surveillance. [1]

ID: S0529
Platforms: Android
Version: 1.1
Created: 10 November 2020
Last Modified: 20 September 2021

Techniques Used

Domain ID Name Use
Mobile T1429 Audio Capture

CarbonSteal can remotely capture device audio.[1]

Mobile T1616 Call Control

CarbonSteal can silently accept an incoming phone call.[1]

Mobile T1407 Download New Code at Runtime

CarbonSteal can dynamically load additional functionality.[1]

Mobile T1521 .002 Encrypted Channel: Asymmetric Cryptography

CarbonSteal has performed rudimentary SSL certificate validation to verify C2 server authenticity before establishing a SSL connection.[1]

Mobile T1420 File and Directory Discovery

CarbonSteal has searched device storage for various files, including .amr files (audio recordings) and superuser binaries.[1]

Mobile T1630 .002 Indicator Removal on Host: File Deletion

CarbonSteal has deleted call log entries coming from known C2 sources.[1]

Mobile T1430 Location Tracking

CarbonSteal can access the device’s location and track the device over time.[1]

Mobile T1575 Native API

CarbonSteal has seen native libraries used in some reported samples [1]

Mobile T1406 Obfuscated Files or Information

CarbonSteal has used incorrect file extensions and encryption to hide most of its assets, including secondary APKs, configuration files, and JAR or DEX files.[1]

Mobile T1644 Out of Band Data

CarbonSteal has used specially crafted SMS messages to control the target device.[1]

Mobile T1636 .004 Protected User Data: SMS Messages

CarbonSteal can access the device’s SMS and MMS messages.[1]

Mobile T1418 Software Discovery

CarbonSteal has looked for specific applications, such as MiCode.[1]

Mobile T1409 Stored Application Data

CarbonSteal can collect notes and data from the MiCode app.[1]

Mobile T1426 System Information Discovery

CarbonSteal has gathered device metadata, including model, manufacturer, SD card size, disk usage, memory, CPU, and serial number.[1]

Mobile T1422 System Network Configuration Discovery

CarbonSteal has collected device network information, including 16-bit GSM Cell Identity, 16-bit Location Area Code, Mobile Country Code (MCC), and Mobile Network Code (MNC). CarbonSteal has also called netcfg to get stats.[1]