GPlayed is an Android trojan with a broad range of capabilities.[1]

ID: S0536
Platforms: Android
Version: 1.0
Created: 24 November 2020
Last Modified: 24 November 2020

Techniques Used

Domain ID Name Use
Mobile T1626 .001 Abuse Elevation Control Mechanism: Device Administrator Permissions

GPlayed can request device administrator permissions.[1]

Mobile T1437 .001 Application Layer Protocol: Web Protocols

GPlayed has communicated with the C2 using HTTP requests or WebSockets as a backup.[1]

Mobile T1533 Data from Local System

GPlayed can collect the user’s browser cookies.[1]

Mobile T1407 Download New Code at Runtime

GPlayed has the capability to remotely load plugins and download and compile new .NET code.[1]

Mobile T1642 Endpoint Denial of Service

GPlayed can lock the user out of the device by showing a persistent overlay.[1]

Mobile T1624 .001 Event Triggered Execution: Broadcast Receivers

GPlayed can register for the BOOT_COMPLETED broadcast intent.[1]

Mobile T1630 .002 Indicator Removal on Host: File Deletion

GPlayed can wipe the device.[1]

Mobile T1417 .002 Input Capture: GUI Input Capture

GPlayed can show a phishing WebView pretending to be a Google service that collects credit card information.[1]

Mobile T1430 Location Tracking

GPlayed can request the device’s location.[1]

Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

GPlayed has used the Play Store icon as well as the name "Google Play Marketplace".[1]

Mobile T1406 Obfuscated Files or Information

GPlayed has base64-encoded the exfiltrated data, replacing some of the base64 characters to further obfuscate the data.[1]

Mobile T1636 .003 Protected User Data: Contact List

GPlayed can access the device’s contact list.[1]

.004 Protected User Data: SMS Messages

GPlayed can read SMS messages.[1]

Mobile T1603 Scheduled Task/Job

GPlayed has used timers to enable Wi-Fi, ping the C2 server, register the device with the C2, and register wake locks on the system.[1]

Mobile T1582 SMS Control

GPlayed can send SMS messages.[1]

Mobile T1418 Software Discovery

GPlayed can collect a list of installed applications.[1]

Mobile T1426 System Information Discovery

GPlayed can collect the device’s model, country, and Android version.[1]

Mobile T1422 System Network Configuration Discovery

GPlayed can collect the device’s IMEI, phone number, and country.[1]