GPlayed
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1626 | .001 | Abuse Elevation Control Mechanism: Device Administrator Permissions | |
| Mobile | T1437 | .001 | Application Layer Protocol: Web Protocols |
GPlayed has communicated with the C2 using HTTP requests or WebSockets as a backup.[1] |
| Mobile | T1533 | Data from Local System | ||
| Mobile | T1407 | Download New Code at Runtime |
GPlayed has the capability to remotely load plugins and download and compile new .NET code.[1] |
|
| Mobile | T1642 | Endpoint Denial of Service |
GPlayed can lock the user out of the device by showing a persistent overlay.[1] |
|
| Mobile | T1624 | .001 | Event Triggered Execution: Broadcast Receivers |
GPlayed can register for the |
| Mobile | T1630 | .002 | Indicator Removal on Host: File Deletion | |
| Mobile | T1417 | .002 | Input Capture: GUI Input Capture |
GPlayed can show a phishing WebView pretending to be a Google service that collects credit card information.[1] |
| Mobile | T1430 | Location Tracking | ||
| Mobile | T1655 | .001 | Masquerading: Match Legitimate Name or Location |
GPlayed has used the Play Store icon as well as the name "Google Play Marketplace".[1] |
| Mobile | T1406 | Obfuscated Files or Information |
GPlayed has base64-encoded the exfiltrated data, replacing some of the base64 characters to further obfuscate the data.[1] |
|
| Mobile | T1636 | .003 | Protected User Data: Contact List | |
| .004 | Protected User Data: SMS Messages | |||
| Mobile | T1603 | Scheduled Task/Job |
GPlayed has used timers to enable Wi-Fi, ping the C2 server, register the device with the C2, and register wake locks on the system.[1] |
|
| Mobile | T1582 | SMS Control | ||
| Mobile | T1418 | Software Discovery | ||
| Mobile | T1426 | System Information Discovery |
GPlayed can collect the device’s model, country, and Android version.[1] |
|
| Mobile | T1422 | System Network Configuration Discovery |
GPlayed can collect the device’s IMEI, phone number, and country.[1] |
|