Protected User Data: SMS Messages

Adversaries may utilize standard operating system APIs to gather SMS messages. On Android, this can be accomplished using the SMS Content Provider. iOS provides no standard API to access SMS messages.

If the device has been jailbroken or rooted, an adversary may be able to access SMS Messages without the user’s knowledge or approval.

ID: T1636.004
Sub-technique of:  T1636
Tactic: Collection
Platforms: Android, iOS
MTC ID: APP-13
Version: 1.1
Created: 01 April 2022
Last Modified: 20 March 2023

Procedure Examples

ID Name Description
S1061 AbstractEmu

AbstractEmu can intercept SMS messages containing two factor authentication codes.[1]

S0309 Adups

Adups transmitted the full contents of text messages.[2]

S0304 Android/Chuli.A

Android/Chuli.A stole SMS message content.[3]

S0292 AndroRAT

AndroRAT captures SMS messages.[4]

S0540 Asacub

Asacub can collect SMS messages as they are received.[5]

S1079 BOULDSPY

BOULDSPY can exfiltrate SMS logs.[6]

S0432 Bread

Bread can access SMS messages in order to complete carrier billing fraud.[7]

S0655 BusyGasper

BusyGasper can collect SMS messages.[8]

S0529 CarbonSteal

CarbonSteal can access the device’s SMS and MMS messages.[9]

S0480 Cerberus

Cerberus can collect SMS messages from a device.[10]

S1083 Chameleon

Chameleon can gather SMS messages.[11]

S0425 Corona Updates

Corona Updates can collect SMS messages.[12]

S0301 Dendroid

Dendroid can intercept SMS messages.[13]

S0505 Desert Scorpion

Desert Scorpion can retrieve SMS messages.[14]

S0550 DoubleAgent

DoubleAgent has captured SMS and MMS messages.[9]

S1054 Drinik

Drinik can collect user SMS messages.[15]

S0320 DroidJack

DroidJack captures SMS data.[16]

S1092 Escobar

Escobar can read SMS messages on the device.[17]

S0478 EventBot

EventBot can intercept SMS messages.[18]

S0522 Exobot

Exobot can intercept SMS messages.[19]

S0405 Exodus

Exodus Two can capture SMS messages.[20]

S1080 Fakecalls

Fakecalls can access text message history.[21]

S0509 FakeSpy

FakeSpy can collect SMS messages.[22]

S0182 FinFisher

FinFisher captures and exfiltrates SMS messages.[23]

S0408 FlexiSpy

FlexiSpy can intercept SMS and MMS messages as well as monitor messages for keywords.[24][25]

S1067 FluBot

FluBot can intercept SMS messages and USSD messages from Telcom operators.[26]

S0577 FrozenCell

FrozenCell has read SMS messages for exfiltration.[27]

S0423 Ginp

Ginp can collect SMS messages.[28]

S0535 Golden Cup

Golden Cup can collect sent and received SMS messages.[29]

S0551 GoldenEagle

GoldenEagle has collected SMS messages.[9]

S0421 GolfSpy

GolfSpy can collect SMS messages.[30]

S0536 GPlayed

GPlayed can read SMS messages.[31]

S0406 Gustuff

Gustuff can intercept two-factor authentication codes transmitted via SMS.[32]

S0544 HenBox

HenBox can intercept SMS messages.[33]

S0463 INSOMNIA

INSOMNIA can retrieve SMS messages and iMessages.[34]

S0485 Mandrake

Mandrake can access SMS messages.[35]

S0303 MazarBOT

MazarBOT can intercept two-factor authentication codes sent by online banking apps.[36]

C0016 Operation Dust Storm

During Operation Dust Storm, the threat actors used Android backdoors to continually forward all SMS messages and call information back to their C2 servers.[37]

S0399 Pallas

Pallas captures and exfiltrates all SMS messages, including future messages as they are received.[23]

S0289 Pegasus for iOS

Pegasus for iOS captures SMS messages that the victim sends or receives.[38]

S0295 RCSAndroid

RCSAndroid can collect SMS, MMS, and Gmail messages.[39]

S0539 Red Alert 2.0

Red Alert 2.0 can collect SMS messages.[40]

S0403 Riltok

Riltok can intercept incoming SMS messages.[41]

S0411 Rotexy

Rotexy processes incoming SMS messages by filtering based on phone numbers, keywords, and regular expressions, focusing primarily on banks, payment systems, and mobile network operators. Rotexy can also send a list of all SMS messages on the device to the command and control server.[42]

S0313 RuMMS

RuMMS uploads incoming SMS messages to a remote command and control server.[43]

S1062 S.O.V.A.

S.O.V.A. can intercept and read SMS messages.[44]

S1055 SharkBot

SharkBot can intercept SMS messages.[45]

S0549 SilkBean

SilkBean can access SMS messages.[9]

S0324 SpyDealer

SpyDealer harvests SMS and MMS messages from victims.[46]

S0305 SpyNote RAT

SpyNote RAT can read SMS messages.[47]

S0328 Stealth Mango

Stealth Mango uploads SMS messages.[48]

S0329 Tangelo

Tangelo contains functionality to gather SMS messages.[48]

S1069 TangleBot

TangleBot can read incoming text messages.[49]

S0558 Tiktok Pro

Tiktok Pro can collect SMS messages from the device.[50]

S0424 Triada

Triada variants capture transaction data from SMS-based in-app purchases.[51]

S0427 TrickMo

TrickMo can intercept SMS messages.[52]

S0418 ViceLeaker

ViceLeaker can collect SMS messages.[53]

S0506 ViperRAT

ViperRAT can collect SMS messages.[54]

G0112 Windshift

Windshift has included SMS message exfiltration in the malicious apps deployed as part of Operation BULL and Operation ROCK.[55]

S0489 WolfRAT

WolfRAT can collect SMS messages.[56]

S0298 Xbot

Xbot steals all SMS message and contact information as well as intercepts and parses certain SMS messages.[57]

S0318 XLoader for Android

XLoader for Android collects SMS messages.[58]

Mitigations

ID Mitigation Description
M1011 User Guidance

Access to SMS messages is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their SMS messages.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting Permissions Requests

Application vetting services could look for android.permission.READ_SMS in an Android application’s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it.

DS0042 User Interface System Settings

On Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary.

References

  1. P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.
  2. Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.
  3. Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.
  4. Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.
  5. T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.
  6. Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.
  7. A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.
  8. Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.
  9. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.
  10. Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.
  11. Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.
  12. T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.
  13. Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.
  14. A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.
  15. Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.
  16. Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 – DroidJack RAT. Retrieved January 20, 2017.
  17. B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.
  18. D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.
  19. Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.
  20. Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.
  21. Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.
  22. O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.
  23. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  24. Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.
  25. FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.
  26. Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.
  27. Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.
  28. ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.
  29. R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.
  1. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.
  2. V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.
  3. Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.
  4. A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.
  5. I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.
  6. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.
  7. Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.
  8. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  9. Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.
  10. Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.
  11. J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.
  12. Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.
  13. T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.
  14. Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.
  15. ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.
  16. RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.
  17. Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.
  18. Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.
  19. Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.
  20. Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.
  21. S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.
  22. Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.
  23. P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.
  24. GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.
  25. M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.
  26. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.
  27. W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.
  28. Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.
  29. Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.