{"description": "Mobile techniques used by CarbonSteal, ATT&CK software S0529 (v1.1)", "name": "CarbonSteal (S0529)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1429", "comment": "[CarbonSteal](https://attack.mitre.org/software/S0529) can remotely capture device audio.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1616", "comment": "[CarbonSteal](https://attack.mitre.org/software/S0529) can silently accept an incoming phone call.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1407", "comment": "[CarbonSteal](https://attack.mitre.org/software/S0529) can dynamically load additional functionality.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1521", "showSubtechniques": true}, {"techniqueID": "T1521.002", "comment": "[CarbonSteal](https://attack.mitre.org/software/S0529) has performed rudimentary SSL certificate validation to verify C2 server authenticity before establishing a SSL connection.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1420", "comment": "[CarbonSteal](https://attack.mitre.org/software/S0529) has searched device storage for various files, including .amr files (audio recordings) and superuser binaries.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1630", "showSubtechniques": true}, {"techniqueID": "T1630.002", "comment": "[CarbonSteal](https://attack.mitre.org/software/S0529) has deleted call log entries coming from known C2 sources.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1430", "comment": "[CarbonSteal](https://attack.mitre.org/software/S0529) can access the device\u2019s location and track the device over time.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1655", "showSubtechniques": true}, {"techniqueID": "T1655.001", "comment": "[CarbonSteal](https://attack.mitre.org/software/S0529) has impersonated several apps, including official Google apps, chat apps, VPN apps, and popular games.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1575", "comment": "[CarbonSteal](https://attack.mitre.org/software/S0529) has seen native libraries used in some reported samples (Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1406", "comment": "[CarbonSteal](https://attack.mitre.org/software/S0529) has used incorrect file extensions and encryption to hide most of its assets, including secondary APKs, configuration files, and JAR or DEX files.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1644", "comment": "[CarbonSteal](https://attack.mitre.org/software/S0529) has used specially crafted SMS messages to control the target device.(Citation: Lookout Uyghur Campaign) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "[CarbonSteal](https://attack.mitre.org/software/S0529) can access the device\u2019s SMS and MMS messages.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1418", "comment": "[CarbonSteal](https://attack.mitre.org/software/S0529) has looked for specific applications, such as MiCode.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1409", "comment": "[CarbonSteal](https://attack.mitre.org/software/S0529) can collect notes and data from the MiCode app.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1426", "comment": "[CarbonSteal](https://attack.mitre.org/software/S0529) has gathered device metadata, including model, manufacturer, SD card size, disk usage, memory, CPU, and serial number.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1422", "comment": "[CarbonSteal](https://attack.mitre.org/software/S0529) has collected device network information, including 16-bit GSM Cell Identity, 16-bit Location Area Code, Mobile Country Code (MCC), and Mobile Network Code (MNC). [CarbonSteal](https://attack.mitre.org/software/S0529) has also called `netcfg` to get stats.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1422.001", "comment": "[CarbonSteal](https://attack.mitre.org/software/S0529) has gathered device metadata, including model, manufacturer, SD card size, disk usage, memory, CPU, and serial number.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by CarbonSteal", "color": "#66b1ff"}]}