SMS Control

Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.

This can be accomplished by requesting the RECEIVE_SMS or SEND_SMS permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the SMS_DELIVER broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device.[1][2]

ID: T1582
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Impact
Platforms: Android
MTC ID: APP-16, CEL-41
Version: 1.0
Created: 11 September 2020
Last Modified: 22 October 2020

Procedure Examples

Name Description
Anubis

Anubis can send, receive, and delete SMS messages.[3]

Cerberus

Cerberus can send SMS messages from a device.[4]

Corona Updates

Corona Updates can send SMS messages.[5]

Dendroid

Dendroid can send and block SMS messages.[6]

Desert Scorpion

Desert Scorpion can send SMS messages.[7]

FakeSpy

FakeSpy can send SMS messages.[8]

Ginp

Ginp can send SMS messages.[9]

Mandrake

Mandrake can block, forward, hide, and send SMS messages.[10]

Rotexy

Rotexy can automatically reply to SMS messages, and optionally delete them.[11]

Stealth Mango

Stealth Mango deletes incoming SMS messages from specified numbers, including those that contain particular strings.[12]

TrickMo

TrickMo can delete SMS messages.[13]

WolfRAT

WolfRAT can delete and send SMS messages.[14]

Mitigations

Mitigation Description
Application Vetting

Application vetting services could provide further scrutiny to applications that request SMS-based permissions.

User Guidance

Users should be encouraged to be very careful with what applications they grant SMS access to. Further, users should not change their default SMS handler to applications they do not recognize.[1]

Detection

Users can view the default SMS handler in system settings.

References