SilkBean

SilkBean is a piece of Android surveillanceware containing comprehensive remote access tool (RAT) functionality that has been used in targeting of the Uyghur ethnic group.[1]

ID: S0549
Type: MALWARE
Platforms: Android
Version: 1.0
Created: 24 December 2020
Last Modified: 19 April 2021

Techniques Used

Domain ID Name Use
Mobile T1437 .001 Application Layer Protocol: Web Protocols

SilkBean has used HTTPS for C2 communication.[1]

Mobile T1533 Data from Local System

SilkBean can retrieve files from external storage and can collect browser data.[1]

Mobile T1407 Download New Code at Runtime

SilkBean can install new applications which are obtained from the C2 server.[1]

Mobile T1521 .002 Encrypted Channel: Asymmetric Cryptography

SilkBean has used HTTPS for C2 communication.[1]

Mobile T1420 File and Directory Discovery

SilkBean can get file lists on the SD card.[1]

Mobile T1630 .002 Indicator Removal on Host: File Deletion

SilkBean can delete various piece of device data, such as contacts, call logs, applications, SMS messages, email, plugins, and files in external storage.[1]

Mobile T1430 Location Tracking

SilkBean has access to the device’s location.[1]

Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

SilkBean has been incorporated into trojanized applications, including Uyghur/Arabic focused keyboards, alphabets, and plugins, as well as official-looking Google applications.[1]

Mobile T1406 Obfuscated Files or Information

SilkBean has hidden malicious functionality in a second stage file and has encrypted C2 server information.[1]

Mobile T1636 .002 Protected User Data: Call Log

SilkBean can access call logs.[1]

.003 Protected User Data: Contact List

SilkBean can access device contacts.[1]

.004 Protected User Data: SMS Messages

SilkBean can access SMS messages.[1]

Mobile T1582 SMS Control

SilkBean can send SMS messages.[1]

Mobile T1632 .001 Subvert Trust Controls: Code Signing Policy Modification

SilkBean has attempted to trick users into enabling installation of applications from unknown sources.[1]

Mobile T1512 Video Capture

SilkBean can access the camera on the device.[1]

References