SilkBean is a piece of Android surveillanceware containing comprehensive remote access tool (RAT) functionality that has been used in targeting of the Uyghur ethnic group.[1]

ID: S0549
Platforms: Android
Version: 1.0
Created: 24 December 2020
Last Modified: 19 April 2021

Techniques Used

Domain ID Name Use
Mobile T1433 Access Call Log

SilkBean can access call logs.[1]

Mobile T1432 Access Contact List

SilkBean can access device contacts.[1]

Mobile T1512 Capture Camera

SilkBean can access the camera on the device.[1]

Mobile T1412 Capture SMS Messages

SilkBean can access SMS messages.[1]

Mobile T1533 Data from Local System

SilkBean can retrieve files from external storage and can collect browser data.[1]

Mobile T1447 Delete Device Data

SilkBean can delete various piece of device data, such as contacts, call logs, applications, SMS messages, email, plugins, and files in external storage.[1]

Mobile T1407 Download New Code at Runtime

SilkBean can install new applications which are obtained from the C2 server.[1]

Mobile T1420 File and Directory Discovery

SilkBean can get file lists on the SD card.[1]

Mobile T1478 Install Insecure or Malicious Configuration

SilkBean has attempted to trick users into enabling installation of applications from unknown sources.[1]

Mobile T1430 Location Tracking

SilkBean has access to the device’s location.[1]

Mobile T1444 Masquerade as Legitimate Application

SilkBean has been incorporated into trojanized applications, including Uyghur/Arabic focused keyboards, alphabets, and plugins, as well as official-looking Google applications.[1]

Mobile T1406 Obfuscated Files or Information

SilkBean has hidden malicious functionality in a second stage file and has encrypted C2 server information.[1]

Mobile T1582 SMS Control

SilkBean can send SMS messages.[1]

Mobile T1437 Standard Application Layer Protocol

SilkBean has used HTTPS for C2 communication.[1]

Mobile T1521 Standard Cryptographic Protocol

SilkBean has used HTTPS for C2 communication.[1]