SilkBean
ID: S0549
ⓘ
Type: MALWARE
ⓘ
Platforms: Android
Version: 1.0
Created: 24 December 2020
Last Modified: 19 April 2021
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1437 | .001 | Application Layer Protocol: Web Protocols | |
| Mobile | T1533 | Data from Local System |
SilkBean can retrieve files from external storage and can collect browser data.[1] |
|
| Mobile | T1407 | Download New Code at Runtime |
SilkBean can install new applications which are obtained from the C2 server.[1] |
|
| Mobile | T1521 | .002 | Encrypted Channel: Asymmetric Cryptography | |
| Mobile | T1420 | File and Directory Discovery | ||
| Mobile | T1630 | .002 | Indicator Removal on Host: File Deletion |
SilkBean can delete various piece of device data, such as contacts, call logs, applications, SMS messages, email, plugins, and files in external storage.[1] |
| Mobile | T1430 | Location Tracking | ||
| Mobile | T1655 | .001 | Masquerading: Match Legitimate Name or Location |
SilkBean has been incorporated into trojanized applications, including Uyghur/Arabic focused keyboards, alphabets, and plugins, as well as official-looking Google applications.[1] |
| Mobile | T1406 | Obfuscated Files or Information |
SilkBean has hidden malicious functionality in a second stage file and has encrypted C2 server information.[1] |
|
| Mobile | T1636 | .002 | Protected User Data: Call Log | |
| .003 | Protected User Data: Contact List | |||
| .004 | Protected User Data: SMS Messages | |||
| Mobile | T1582 | SMS Control | ||
| Mobile | T1632 | .001 | Subvert Trust Controls: Code Signing Policy Modification |
SilkBean has attempted to trick users into enabling installation of applications from unknown sources.[1] |
| Mobile | T1512 | Video Capture | ||