Currently viewing ATT&CK v7.2 which was live between July 8, 2020 and October 26, 2020. Learn more about the versioning system or see the live site.
Register to stream the next session of ATT&CKcon Power Hour November 12
TECHNIQUES
PRE-ATT&CK
Priority Definition Planning
Priority Definition Direction
Target Selection
Technical Information Gathering
People Information Gathering
Organizational Information Gathering
Technical Weakness Identification
People Weakness Identification
Organizational Weakness Identification
Adversary OPSEC
Establish & Maintain Infrastructure
Persona Development
Build Capabilities
Test Capabilities
Stage Capabilities
Enterprise
Initial Access
Phishing
Supply Chain Compromise
Valid Accounts
Execution
Command and Scripting Interpreter
Inter-Process Communication
Scheduled Task/Job
System Services
User Execution
Persistence
Account Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create Account
Create or Modify System Process
Event Triggered Execution
Hijack Execution Flow
Office Application Startup
Pre-OS Boot
Scheduled Task/Job
Server Software Component
Traffic Signaling
Valid Accounts
Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create or Modify System Process
Event Triggered Execution
Hijack Execution Flow
Process Injection
Scheduled Task/Job
Valid Accounts
Defense Evasion
Abuse Elevation Control Mechanism
Access Token Manipulation
Execution Guardrails
File and Directory Permissions Modification
Hide Artifacts
Hijack Execution Flow
Impair Defenses
Indicator Removal on Host
Masquerading
Modify Authentication Process
Modify Cloud Compute Infrastructure
Obfuscated Files or Information
Pre-OS Boot
Process Injection
Signed Binary Proxy Execution
Signed Script Proxy Execution
Subvert Trust Controls
Traffic Signaling
Trusted Developer Utilities Proxy Execution
Use Alternate Authentication Material
Valid Accounts
Virtualization/Sandbox Evasion
Credential Access
Brute Force
Credentials from Password Stores
Input Capture
Man-in-the-Middle
Modify Authentication Process
OS Credential Dumping
Steal or Forge Kerberos Tickets
Unsecured Credentials
Discovery
Account Discovery
Permission Groups Discovery
Software Discovery
Virtualization/Sandbox Evasion
Lateral Movement
Remote Service Session Hijacking
Remote Services
Use Alternate Authentication Material
Collection
Archive Collected Data
Data from Information Repositories
Data Staged
Email Collection
Input Capture
Man-in-the-Middle
Command and Control
Application Layer Protocol
Data Encoding
Data Obfuscation
Dynamic Resolution
Encrypted Channel
Proxy
Traffic Signaling
Web Service
Exfiltration
Exfiltration Over Alternative Protocol
Exfiltration Over Other Network Medium
Exfiltration Over Physical Medium
Exfiltration Over Web Service
Impact
Data Manipulation
Defacement
Disk Wipe
Endpoint Denial of Service
Network Denial of Service
Mobile
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
Network Effects
Remote Service Effects
  1. Home
  2. Techniques
  3. Mobile
  4. Capture SMS Messages

Capture SMS Messages

A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.

On Android, a malicious application must request and obtain permission (either at app install time or run time) in order to receive SMS messages. Alternatively, a malicious application could attempt to perform an operating system privilege escalation attack to bypass the permission requirement.

On iOS, applications cannot access SMS messages in normal operation, so an adversary would need to attempt to perform an operating system privilege escalation attack to potentially be able to access SMS messages.

ID: T1412
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactics: Collection, Credential Access
Platforms: Android, iOS
Version: 1.1
Created: 25 October 2017
Last Modified: 18 September 2019

Procedure Examples

Name Description
Adups

Adups transmitted the full contents of text messages.[11]
Android/Chuli.A

Android/Chuli.A stole SMS message content.[15]
AndroRAT

AndroRAT captures SMS messages.[5]
Anubis

Anubis can send, receive, and delete SMS messages.[24]
Bread

Bread can access SMS messages in order to complete carrier billing fraud.[28]
Cerberus

Cerberus can collect and send SMS messages from a device.[31]
Corona Updates

Corona Updates can collect and send SMS messages.[26]
DroidJack

DroidJack captures SMS data.[13]
EventBot

EventBot can intercept SMS messages.[30]
Exodus

Exodus Two can capture SMS messages.[19]
FinFisher

FinFisher captures and exfiltrates SMS messages.[16]
FlexiSpy

FlexiSpy can intercept SMS and MMS messages as well as monitor messages for keywords.[2][3]
Ginp

Ginp can send and collect SMS messages.[25]
GolfSpy

GolfSpy can collect SMS messages.[23]
Gustuff

Gustuff can intercept two-factor authentication codes transmitted via SMS.[20]

INSOMNIA

INSOMNIA can retrieve SMS messages and iMessages.[29]
MazarBOT

MazarBOT can intercept two-factor authentication codes sent by online banking apps.[8]
Pallas

Pallas captures and exfiltrates all SMS messages, including future messages as they are received.[16]
Pegasus for iOS

Pegasus for iOS captures SMS messages that the victim sends or receives.[9]
RCSAndroid

RCSAndroid can collect SMS, MMS, and Gmail messages.[10]
Riltok

Riltok can intercept incoming SMS messages.[18]
Rotexy

Rotexy processes incoming SMS messages by filtering based on phone numbers, keywords, and regular expressions, focusing primarily on banks, payment systems, and mobile network operators. Rotexy can automatically reply to SMS messages, and optionally delete them. Rotexy can also send a list of all SMS messages on the device to the command and control server.[21]
RuMMS

RuMMS uploads incoming SMS messages to a remote command and control server.[7]
SpyDealer

SpyDealer harvests SMS and MMS messages from victims.[4]
SpyNote RAT

SpyNote RAT can read SMS messages.[12]
Stealth Mango

Stealth Mango uploads SMS logs and deletes incoming messages from specified numbers, including those that contain particular strings.[6]
Tangelo

Tangelo contains functionality to gather SMS messages.[6]
Triada

Triada variants capture transaction data from SMS-based in-app purchases.[17]

TrickMo

TrickMo can intercept and delete SMS messages.[27]
ViceLeaker

ViceLeaker can collect SMS messages.[22]
Xbot

Xbot steals all SMS message and contact information as well as intercepts and parses certain SMS messages.[1]
XLoader

XLoader collects SMS messages.[14]

Mitigations

Mitigation Description
Application Vetting

Enterprises performing application vetting could search for applications that declare the RECEIVE_SMS permission and scrutinize them closely.
Security Updates
Use Recent OS Version

Detection

On Android, the user can view which applications have permission to access SMS messages through the device settings, and the user can choose to revoke the permission.

References

  1. Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.
  2. Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.
  3. FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.
  4. Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.
  5. Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.
  6. Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.
  7. Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.
  8. Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.
  9. Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.
  10. Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.
  11. Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.
  12. Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.
  13. Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 – DroidJack RAT. Retrieved January 20, 2017.
  14. Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.
  15. Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.
  16. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  1. Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.
  2. Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.
  3. Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.
  4. Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.
  5. T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.
  6. GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.
  7. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.
  8. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020.
  9. ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.
  10. T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.
  11. P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.
  12. A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.
  13. I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.
  14. D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.
  15. Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.