SMS Control

Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.

This can be accomplished by requesting the RECEIVE_SMS or SEND_SMS permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the SMS_DELIVER broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device.[1][2]

ID: T1582
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Impact
Platforms: Android
MTC ID: APP-16, CEL-41
Version: 1.1
Created: 11 September 2020
Last Modified: 20 March 2023

Procedure Examples

ID Name Description
S1095 AhRat

AhRat can send SMS messages.[3]

S0292 AndroRAT

AndroRAT can send SMS messages.[4]

S0422 Anubis

Anubis can send, receive, and delete SMS messages.[5]

S0540 Asacub

Asacub can send SMS messages from compromised devices.[6]

S0655 BusyGasper

BusyGasper can send an SMS message after the device boots, messages containing logs, messages to adversary-specified numbers with custom content, and can delete all SMS messages on the device.[7]

S0480 Cerberus

Cerberus can send SMS messages from a device.[8]

S0425 Corona Updates

Corona Updates can send SMS messages.[9]

S0301 Dendroid

Dendroid can send and block SMS messages.[10]

S0505 Desert Scorpion

Desert Scorpion can send SMS messages.[11]

S1054 Drinik

Drinik can steal incoming SMS messages and send SMS messages from compromised devices. [12]

S1092 Escobar

Escobar can modify, send, and delete SMS messages.[13]

S0522 Exobot

Exobot can forward SMS messages.[14]

S0509 FakeSpy

FakeSpy can send SMS messages.[15]

S1067 FluBot

FluBot can send SMS phishing messages to other contacts on an infected device.[16][17]

S0423 Ginp

Ginp can send SMS messages.[18]

S0551 GoldenEagle

GoldenEagle has sent messages to an attacker-controlled number.[19]

S0536 GPlayed

GPlayed can send SMS messages.[20]

S0485 Mandrake

Mandrake can block, forward, hide, and send SMS messages.[21]

S0539 Red Alert 2.0

Red Alert 2.0 can send SMS messages.[22]

S0411 Rotexy

Rotexy can automatically reply to SMS messages, and optionally delete them.[23]

S1062 S.O.V.A.

S.O.V.A. can send SMS messages.[24]

S1055 SharkBot

SharkBot can hide and send SMS messages. SharkBot can also change which application is the device’s default SMS handler.[25]

S0549 SilkBean

SilkBean can send SMS messages.[19]

S0328 Stealth Mango

Stealth Mango deletes incoming SMS messages from specified numbers, including those that contain particular strings.[26]

S1069 TangleBot

TangleBot can send text messages.[27]

S0545 TERRACOTTA

TERRACOTTA can send SMS messages.[28]

S0558 Tiktok Pro

Tiktok Pro can send SMS messages.[29]

S0427 TrickMo

TrickMo can delete SMS messages.[30]

S0489 WolfRAT

WolfRAT can delete and send SMS messages.[31]

Mitigations

ID Mitigation Description
M1011 User Guidance

Users should be encouraged to be very careful with what applications they grant SMS access to. Further, users should not change their default SMS handler to applications they do not recognize.[1]

Detection

ID Data Source Data Component Detects
DS0042 User Interface System Settings

The user can view the default SMS handler in system settings.

References

  1. S.Main, D. Braun. (2013, October 14). Getting Your SMS Apps Ready for KitKat. Retrieved September 11, 2020.
  2. Google. (n.d.). SmsProvider.java. Retrieved September 11, 2020.
  3. Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.
  4. Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.
  5. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020.
  6. T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.
  7. Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.
  8. Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.
  9. T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.
  10. Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.
  11. A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.
  12. Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.
  13. B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.
  14. Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.
  15. O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.
  16. Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.
  1. Filip TRUȚĂ, Răzvan GOSA, Adrian Mihai GOZOB. (2022, May 24). New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike. Retrieved February 28, 2023.
  2. ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.
  3. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.
  4. V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.
  5. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.
  6. J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.
  7. T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.
  8. ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.
  9. RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.
  10. Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.
  11. Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.
  12. Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.
  13. S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.
  14. P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.
  15. W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.