DoubleAgent is a family of RAT malware dating back to 2013, known to target groups with contentious relationships with the Chinese government.[1]

ID: S0550
Platforms: Android
Version: 1.0
Created: 24 December 2020
Last Modified: 19 April 2021

Techniques Used

Domain ID Name Use
Mobile T1433 Access Call Log

DoubleAgent has accessed the call logs.[1]

Mobile T1432 Access Contact List

DoubleAgent has accessed the contact list.[1]

Mobile T1409 Access Stored Application Data

DoubleAgent has accessed browser history, as well as the files for 15 other apps.[1]

Mobile T1418 Application Discovery

DoubleAgent has accessed the list of installed apps.[1]

Mobile T1429 Capture Audio

DoubleAgent has captured audio and can record phone calls.[1]

Mobile T1412 Capture SMS Messages

DoubleAgent has captured SMS and MMS messages.[1]

Mobile T1605 Command-Line Interface

DoubleAgent can run arbitrary shell commands.[1]

Mobile T1533 Data from Local System

DoubleAgent has collected files from the infected device.[1]

Mobile T1447 Delete Device Data

DoubleAgent has deleted or renamed specific files.[1]

Mobile T1407 Download New Code at Runtime

DoubleAgent has downloaded additional code to root devices, such as TowelRoot.[1]

Mobile T1404 Exploit OS Vulnerability

DoubleAgent has used exploit tools to gain root, such as TowelRoot.[1]

Mobile T1420 File and Directory Discovery

DoubleAgent has searched for specific existing data directories, including the Gmail app, Dropbox app, Pictures, and thumbnails.[1]

Mobile T1444 Masquerade as Legitimate Application

DoubleAgent has been embedded into trojanized versions of applications such as Voxer, TalkBox, and Amaq News.[1]

Mobile T1400 Modify System Partition

DoubleAgent has used exploits to root devices and install additional malware on the /system partition.[1]

Mobile T1406 Obfuscated Files or Information

DoubleAgent has used an AES encrypted file in the assets folder with an unsuspecting name (e.g. ‘GoogleMusic.png’) for holding configuration and C2 information.[1]

Mobile T1437 Standard Application Layer Protocol

DoubleAgent has used both FTP and TCP sockets for data exfiltration.[1]

Mobile T1508 Suppress Application Icon

DoubleAgent has hidden its app icon.[1]

Mobile T1426 System Information Discovery

DoubleAgent has accessed common system information.[1]