SMS Control

Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.

This can be accomplished by requesting the RECEIVE_SMS or SEND_SMS permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the SMS_DELIVER broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device.[1][2]

ID: T1582
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Impact
Platforms: Android
MTC ID: APP-16, CEL-41
Version: 1.0
Created: 11 September 2020
Last Modified: 22 October 2020

Procedure Examples

ID Name Description
S0422 Anubis

Anubis can send, receive, and delete SMS messages.[3]

S0540 Asacub

Asacub can send SMS messages from compromised devices.[4]

S0480 Cerberus

Cerberus can send SMS messages from a device.[5]

S0425 Corona Updates

Corona Updates can send SMS messages.[6]

S0301 Dendroid

Dendroid can send and block SMS messages.[7]

S0505 Desert Scorpion

Desert Scorpion can send SMS messages.[8]

S0522 Exobot

Exobot can forward SMS messages.[9]

S0509 FakeSpy

FakeSpy can send SMS messages.[10]

S0423 Ginp

Ginp can send SMS messages.[11]

S0551 GoldenEagle

GoldenEagle has sent messages to an attacker-controlled number.[12]

S0536 GPlayed

GPlayed can send SMS messages.[13]

S0485 Mandrake

Mandrake can block, forward, hide, and send SMS messages.[14]

S0539 Red Alert 2.0

Red Alert 2.0 can send SMS messages.[15]

S0411 Rotexy

Rotexy can automatically reply to SMS messages, and optionally delete them.[16]

S0549 SilkBean

SilkBean can send SMS messages.[12]

S0328 Stealth Mango

Stealth Mango deletes incoming SMS messages from specified numbers, including those that contain particular strings.[17]

S0545 TERRACOTTA

TERRACOTTA can send SMS messages.[18]

S0558 Tiktok Pro

Tiktok Pro can send SMS messages.[19]

S0427 TrickMo

TrickMo can delete SMS messages.[20]

S0489 WolfRAT

WolfRAT can delete and send SMS messages.[21]

Mitigations

ID Mitigation Description
M1005 Application Vetting

Application vetting services could provide further scrutiny to applications that request SMS-based permissions.

M1011 User Guidance

Users should be encouraged to be very careful with what applications they grant SMS access to. Further, users should not change their default SMS handler to applications they do not recognize.[1]

Detection

Users can view the default SMS handler in system settings.

References