1. Home
  2. Techniques
  3. Mobile
  4. Call Control

Call Control

Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.

Several permissions may be used to programmatically control phone calls, including:

  • ANSWER_PHONE_CALLS - Allows the application to answer incoming phone calls[1]
  • CALL_PHONE - Allows the application to initiate a phone call without going through the Dialer interface[1]
  • PROCESS_OUTGOING_CALLS - Allows the application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether[1]
  • MANAGE_OWN_CALLS - Allows a calling application which manages its own calls through the self-managed ConnectionService APIs[1]
  • BIND_TELECOM_CONNECTION_SERVICE - Required permission when using a ConnectionService[1]
  • WRITE_CALL_LOG - Allows an application to write to the device call log, potentially to hide malicious phone calls[1]

When granted some of these permissions, an application can make a phone call without opening the dialer first. However, if an application desires to simply redirect the user to the dialer with a phone number filled in, it can launch an Intent using Intent.ACTION_DIAL, which requires no specific permissions. This then requires the user to explicitly initiate the call or use some form of Input Injection to programmatically initiate it.

ID: T1616
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Platforms: Android
MTC ID: APP-41, CEL-42, CEL-36, CEL-18
Contributors: Gaetan van Diemen, ThreatFabric
Version: 1.2
Created: 20 September 2021
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1214 Android/SpyAgent

Android/SpyAgent can execute an automated phone call.[2]

S0292 AndroRAT

AndroRAT can make phone calls.[3]

S0422 Anubis

Anubis can make phone calls.[4]
S1094 BRATA

BRATA can hide incoming calls by setting ring volume to 0 and showing a blank screen overlay.[5]
S0655 BusyGasper

BusyGasper can open a hidden menu when a specific phone number is called from the infected device.[6]
S0529 CarbonSteal

CarbonSteal can silently accept an incoming phone call.[7]
S1083 Chameleon

Chameleon has the ability to control calls.[8]
S9004 Crocodilus

Crocodilus has the ability to enable call forwarding.[9]
S9005 DocSwap

DocSwap has requested for the CALL_PHONE permission to make phone calls.[10][11]

S1054 Drinik

Drinik can use the Android CallScreeningService to silently block incoming calls.[12]
S1092 Escobar

Escobar can initiate phone calls.[13]
S1080 Fakecalls

Fakecalls can intercept and imitate phone conversations by breaking the connection and displaying a fake call screen. It can also make outgoing calls and spoof incoming calls.[14]
S1231 GodFather

GodFather has requested for the CALL_PHONE permission to initiate phone calls.[15]
S0407 Monokle

Monokle can be controlled via phone call from a set of "control phones."[16]
S1195 SpyC23

SpyC23 can make phone calls.[17][18]
S1069 TangleBot

TangleBot can make and block phone calls.[19]
S9006 VajraSpy

VajraSpy has requested for android.permission.CALL_PHONE.[20]

Mitigations

ID Mitigation Description
M1011 User Guidance

Users should be encouraged to be very careful with what applications they grant phone call-based permissions to. Further, users should not change their default call handler to applications they do not recognize.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0703 Detection of Call Control AN1822

The defender correlates call-control capability or telecom role state with subsequent unauthorized call initiation, answer, block, redirect, or concealment behavior by an application outside expected telephony workflows. The analytic prioritizes Android-observable control-plane effects: dangerous or role-gated call-control permissions, default dialer or ConnectionService-related role changes, telecom framework invocation for call placement or handling, write activity against call-log records, and call-control activity occurring from background or locked-device context without recent user interaction.

References

  1. Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021.
  2. Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.
  3. Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.
  4. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.
  5. Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.
  6. Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.
  7. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.
  8. ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.
  9. ThreatFabric. (2025, March 28). Exposing Crocodilus: New Device Takeover Malware Targeting Android Devices. Retrieved November 24, 2025.
  10. EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.
  1. Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.
  2. Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.
  3. B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.
  4. Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.
  5. Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025.
  6. Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.
  7. Stefanko, L. (2020, September 30). APT‑C‑23 group evolves its Android spyware. Retrieved March 4, 2024.
  8. Delamotte, A. (2023, November 6). Arid Viper | APT’s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024.
  9. Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.
  10. Dhanalakshmi. (2022, April 19). VajraSpy – An Android RAT. Retrieved November 5, 2025.