1. Home
  2. Software
  3. Phenakite

Phenakite

Phenakite is a mobile malware that is used by APT-C-23 to target iOS devices. According to several reports, Phenakite was developed to fill a tooling gap and to target those who owned iPhones instead of Windows desktops or Android phones.[1][2]

ID: S1126
Type: MALWARE
Platforms: iOS
Contributors: Sittikorn Sangrattanapitak
Version: 1.0
Created: 26 March 2024
Last Modified: 17 April 2024
Version Permalink
Mobile Layer
download view

Techniques Used

Domain ID Name Use
Mobile T1429 Audio Capture

Phenakite can record phone calls.[2]
Mobile T1533 Data from Local System

Phenakite can collect and exfiltrate WhatsApp media, photos and files with specific extensions, such as .pdf and .doc.[2]
Mobile T1404 Exploitation for Privilege Escalation

Phenakite has included exploits for jailbreaking infected devices.[2]
Mobile T1544 Ingress Tool Transfer

Phenakite can download additional malware to the victim device.[2]

Mobile T1417 Input Capture

Phenakite has used phishing sites for iCloud and Facebook if either of those were used for authentication during the chat sign up process.[2]
Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

Phenakite can masquerade as the chat application "Magic Smile."[2]
Mobile T1636 .003 Protected User Data: Contact List

Phenakite can exfiltrate the victim device’s contact list.[2]

.004 Protected User Data: SMS Messages

Phenakite can read SMS messages.[2]

Mobile T1426 System Information Discovery

Phenakite can collect device metadata.[2]

Mobile T1512 Video Capture

Phenakite can capture pictures and videos.[2]

Groups That Use This Software

ID Name References
G1028 APT-C-23

[1][2]

References

  1. Hegel, T., Milenkoski, A. (2023, October 24). The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest. Retrieved March 4, 2024.
  1. Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.