GoldenEagle

GoldenEagle is a piece of Android malware that has been used in targeting of Uyghurs, Muslims, Tibetans, individuals in Turkey, and individuals in China. Samples have been found as early as 2012.[1]

ID: S0551
Type: MALWARE
Version: 1.0
Created: 24 December 2020
Last Modified: 25 March 2021

Techniques Used

Domain ID Name Use
Mobile T1437 .001 Application Layer Protocol: Web Protocols

GoldenEagle has used HTTP POST requests for C2.[1]

Mobile T1429 Audio Capture

GoldenEagle has recorded calls and environment audio in .amr format.[1]

Mobile T1533 Data from Local System

GoldenEagle has retrieved .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files from external storage.[1]

Mobile T1407 Download New Code at Runtime

GoldenEagle can download new code to update itself.[1]

Mobile T1646 Exfiltration Over C2 Channel

GoldenEagle has exfiltrated data via both SMTP and HTTP.[1]

Mobile T1420 File and Directory Discovery

GoldenEagle has looked for .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files on external storage.[1]

Mobile T1430 Location Tracking

GoldenEagle has tracked location.[1]

Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

GoldenEagle has inserted trojan functionality into legitimate apps, including popular apps within the Uyghur community, VPNs, instant messaging apps, social networking, games, adult media, and Google searching.[1]

Mobile T1636 .002 Protected User Data: Call Log

GoldenEagle has collected call logs.[1]

.003 Protected User Data: Contact List

GoldenEagle has collected a list of contacts.[1]

.004 Protected User Data: SMS Messages

GoldenEagle has collected SMS messages.[1]

Mobile T1513 Screen Capture

GoldenEagle has taken screenshots.[1]

Mobile T1582 SMS Control

GoldenEagle has sent messages to an attacker-controlled number.[1]

Mobile T1418 Software Discovery

GoldenEagle has collected a list of installed application names.[1]

Mobile T1409 Stored Application Data

GoldenEagle has extracted messages from chat programs, such as WeChat.[1]

Mobile T1632 .001 Subvert Trust Controls: Code Signing Policy Modification

GoldenEagle has modified or configured proxy information.[1]

Mobile T1426 System Information Discovery

GoldenEagle has checked for system root.[1]

Mobile T1512 Video Capture

GoldenEagle has taken photos with the device camera.[1]

References