{"description": "Mobile techniques used by DoubleAgent, ATT&CK software S0550 (v1.0)", "name": "DoubleAgent (S0550)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1437", "comment": "[DoubleAgent](https://attack.mitre.org/software/S0550) has used both FTP and TCP sockets for data exfiltration.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1429", "comment": "[DoubleAgent](https://attack.mitre.org/software/S0550) has captured audio and can record phone calls.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1623", "showSubtechniques": true}, {"techniqueID": "T1623.001", "comment": "[DoubleAgent](https://attack.mitre.org/software/S0550) can run arbitrary shell commands.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1645", "comment": "[DoubleAgent](https://attack.mitre.org/software/S0550) has used exploits to root devices and install additional malware on the system partition.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1533", "comment": "[DoubleAgent](https://attack.mitre.org/software/S0550) has collected files from the infected device.(Citation: Lookout Uyghur Campaign)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1407", "comment": "[DoubleAgent](https://attack.mitre.org/software/S0550) has downloaded additional code to root devices, such as TowelRoot.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1404", "comment": "[DoubleAgent](https://attack.mitre.org/software/S0550) has used exploit tools to gain root, such as TowelRoot.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1420", "comment": "[DoubleAgent](https://attack.mitre.org/software/S0550) has searched for specific existing data directories, including the Gmail app, Dropbox app, Pictures, and thumbnails.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1628", "showSubtechniques": true}, {"techniqueID": "T1628.001", "comment": "[DoubleAgent](https://attack.mitre.org/software/S0550) has hidden its app icon.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1630", "showSubtechniques": true}, {"techniqueID": "T1630.002", "comment": "[DoubleAgent](https://attack.mitre.org/software/S0550) has deleted or renamed specific files.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1655", "showSubtechniques": true}, {"techniqueID": "T1655.001", "comment": "[DoubleAgent](https://attack.mitre.org/software/S0550) has been embedded into trojanized versions of applications such as Voxer, TalkBox, and Amaq News.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1406", "comment": "[DoubleAgent](https://attack.mitre.org/software/S0550) has used an AES encrypted file in the assets folder with an unsuspecting name (e.g. \u2018GoogleMusic.png\u2019) for holding configuration and C2 information.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1636", "showSubtechniques": true}, {"techniqueID": "T1636.002", "comment": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed the call logs.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.003", "comment": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed the contact list.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1636.004", "comment": "[DoubleAgent](https://attack.mitre.org/software/S0550) has captured SMS and MMS messages.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1418", "comment": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed the list of installed apps.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1409", "comment": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed browser history, as well as the files for 15 other apps.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1426", "comment": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed common system information.(Citation: Lookout Uyghur Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by DoubleAgent", "color": "#66b1ff"}]}