GoldenEagle is a piece of Android malware that has been used in targeting of Uyghurs, Muslims, Tibetans, individuals in Turkey, and individuals in China. Samples have been found as early as 2012.[1]

ID: S0551
Version: 1.0
Created: 24 December 2020
Last Modified: 25 March 2021

Techniques Used

Domain ID Name Use
Mobile T1433 Access Call Log

GoldenEagle has collected call logs.[1]

Mobile T1432 Access Contact List

GoldenEagle has collected a list of contacts.[1]

Mobile T1409 Access Stored Application Data

GoldenEagle has extracted messages from chat programs, such as WeChat.[1]

Mobile T1418 Application Discovery

GoldenEagle has collected a list of installed application names.[1]

Mobile T1429 Capture Audio

GoldenEagle has recorded calls and environment audio in .amr format.[1]

Mobile T1512 Capture Camera

GoldenEagle has taken photos with the device camera.[1]

Mobile T1412 Capture SMS Messages

GoldenEagle has collected SMS messages.[1]

Mobile T1533 Data from Local System

GoldenEagle has retrieved .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files from external storage.[1]

Mobile T1407 Download New Code at Runtime

GoldenEagle can download new code to update itself.[1]

Mobile T1420 File and Directory Discovery

GoldenEagle has looked for .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files on external storage.[1]

Mobile T1478 Install Insecure or Malicious Configuration

GoldenEagle has modified or configured proxy information.[1]

Mobile T1430 Location Tracking

GoldenEagle has tracked location.[1]

Mobile T1444 Masquerade as Legitimate Application

GoldenEagle has inserted trojan functionality into legitimate apps, including popular apps within the Uyghur community, VPNs, instant messaging apps, social networking, games, adult media, and Google searching.[1]

Mobile T1513 Screen Capture

GoldenEagle has taken screenshots.[1]

Mobile T1582 SMS Control

GoldenEagle has sent messages to an attacker-controlled number.[1]

Mobile T1437 Standard Application Layer Protocol

GoldenEagle has exfiltrated data via both SMTP and HTTP and used HTTP POST requests for C2.[1]

Mobile T1426 System Information Discovery

GoldenEagle has checked for system root.[1]