GPlayed is an Android trojan with a broad range of capabilities.[1]

ID: S0536
Platforms: Android
Version: 1.0
Created: 24 November 2020
Last Modified: 24 November 2020

Techniques Used

Domain ID Name Use
Mobile T1432 Access Contact List

GPlayed can access the device’s contact list.[1]

Mobile T1418 Application Discovery

GPlayed can collect a list of installed applications.[1]

Mobile T1402 Broadcast Receivers

GPlayed can register for the BOOT_COMPLETED broadcast intent.[1]

Mobile T1412 Capture SMS Messages

GPlayed can read SMS messages.[1]

Mobile T1533 Data from Local System

GPlayed can collect the user’s browser cookies.[1]

Mobile T1447 Delete Device Data

GPlayed can wipe the device.[1]

Mobile T1401 Device Administrator Permissions

GPlayed can request device administrator permissions.[1]

Mobile T1446 Device Lockout

GPlayed can lock the user out of the device by showing a persistent overlay.[1]

Mobile T1407 Download New Code at Runtime

GPlayed has the capability to remotely load plugins and download and compile new .NET code.[1]

Mobile T1411 Input Prompt

GPlayed can show a phishing WebView pretending to be a Google service that collects credit card information.[1]

Mobile T1430 Location Tracking

GPlayed can request the device’s location.[1]

Mobile T1444 Masquerade as Legitimate Application

GPlayed has used the Play Store icon as well as the name "Google Play Marketplace".[1]

Mobile T1406 Obfuscated Files or Information

GPlayed has base64-encoded the exfiltrated data, replacing some of the base64 characters to further obfuscate the data.[1]

Mobile T1603 Scheduled Task/Job

GPlayed has used timers to enable Wi-Fi, ping the C2 server, register the device with the C2, and register wake locks on the system.[1]

Mobile T1582 SMS Control

GPlayed can send SMS messages.[1]

Mobile T1437 Standard Application Layer Protocol

GPlayed has communicated with the C2 using HTTP requests or WebSockets as a backup.[1]

Mobile T1426 System Information Discovery

GPlayed can collect the device’s model, country, and Android version.[1]

Mobile T1422 System Network Configuration Discovery

GPlayed can collect the device’s IMEI, phone number, and country.[1]