S0418: ViceLeaker
ViceLeaker is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.[1][2]
Analyst context for executives and security teams
ViceLeaker is an Android spyware framework described by ATT&CK as capable of broad surveillance and data exfiltration. Its business significance is not just “mobile malware”; it represents the kind of mobile compromise that can expose conversations, location, call/SMS history, local files, device details, and application inventory from user devices that may also access corporate systems.
Executive priority
Treat this as a mobile risk and privacy-resilience scenario. Leaders should ask whether Android devices with business access are governed by mobile policy, whether sensitive roles are monitored for excessive mobile permissions and suspicious network behavior, and whether incident response plans cover collection, containment, and legal/privacy handling for compromised personal or corporate mobile devices. Priority is highest where Android devices are used by executives, field staff, regulated functions, or users with access to sensitive communications and data.
Technical view
ATT&CK does not provide a specific detection section for ViceLeaker, so validation should be technique-driven. The supplied relationships indicate Android behaviors including software and system discovery, audio/video capture, location tracking, call log and SMS collection, local data access, ingress tool transfer, file deletion, hiding the application icon, masquerading as legitimate names or locations, web-protocol command and control, and exfiltration over the C2 channel. SOC and IR teams should verify whether their mobile telemetry can show installed applications, package names, permissions, launcher visibility, access to microphone/camera/location/SMS/call logs/local storage, suspicious file activity, and outbound HTTP/HTTPS communications from mobile apps.
Likely telemetry
- Android application inventory, package names, signing metadata, install source, and app visibility/launcher state
- Mobile permission grants and usage for microphone, camera, location, SMS, call log, and local/external storage access
- Device system information and software inventory collected through managed mobile controls
- Mobile network telemetry for app-originated HTTP/HTTPS connections and unusual recurring communications
- File creation, deletion, and transfer indicators where available from mobile security or device management tooling
Detection direction
- Build coverage around the related ATT&CK techniques rather than a single malware name, because no official ViceLeaker detection guidance is supplied.
- Validate visibility into Android permissions and sensitive API use; spyware behavior may appear as legitimate app functionality unless correlated with app reputation, user role, install source, and network activity.
- Hunt for combinations of surveillance permissions, hidden or misleading application presentation, suspicious package naming, and web-protocol communications.
- Correlate data collection behaviors such as call log, SMS, location, audio, video, and local file access with outbound communications that could support exfiltration over the C2 channel.
- Account for false positives from legitimate communications, recording, navigation, backup, and enterprise management apps by baselining approved applications and expected permissions.
Mitigation priorities
- Establish or confirm mobile device governance for Android devices that access business data, including inventory, minimum OS posture, approved app sources, and permission review.
- Restrict business access from unmanaged or non-compliant devices where policy allows, especially for sensitive users and regulated data.
- Use least-privilege mobile permissions and regularly review apps requesting microphone, camera, location, SMS, call log, and broad storage access.
- Improve mobile incident response playbooks for suspected spyware, including preservation of evidence, account/session review, device isolation or removal from business access, and privacy/legal coordination.
- Tune network and mobile security monitoring for suspicious web-protocol communications from mobile applications while recognizing that HTTPS traffic may limit content inspection.
Analyst notes and limits
The strongest decision value comes from the relationship context: ViceLeaker is associated with multiple mobile surveillance, discovery, evasion, C2, and exfiltration techniques on Android. This supports a control-validation exercise across mobile management, SOC telemetry, and IR readiness rather than a narrow signature check.
ATT&CK provides no official detection text, no tactics for this object in the supplied fields, and no environment-specific indicators here. Local device ownership models, mobile telemetry availability, app allowlists, network architecture, and legal/privacy requirements are required to determine actual exposure and response options.
ViceLeaker
ViceLeaker is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1636.004 | SMS Messages Sub-technique | ViceLeaker can collect SMS messages.CitationSecureList - ViceLeaker 2019 |
| Mobile | T1426 | System Information Discovery | ViceLeaker collects device information, including the device model and OS version.CitationSecureList - ViceLeaker 2019 |
| Mobile | T1646 | Exfiltration Over C2 Channel | ViceLeaker uses HTTP data exfiltration.CitationSecureList - ViceLeaker 2019CitationBitdefender - Triout 2018 |
| Mobile | T1418 | Software Discovery | ViceLeaker can obtain a list of installed applications.CitationSecureList - ViceLeaker 2019 |
| Mobile | T1636.002 | Call Log Sub-technique | ViceLeaker can collect the device’s call log.CitationSecureList - ViceLeaker 2019 |
| Mobile | T1544 | Ingress Tool Transfer | ViceLeaker can download attacker-specified files.CitationSecureList - ViceLeaker 2019 |
| Mobile | T1430 | Location Tracking | ViceLeaker can collect location information, including GPS coordinates.CitationSecureList - ViceLeaker 2019CitationBitdefender - Triout 2018 |
| Mobile | T1630.002 | File Deletion Sub-technique | ViceLeaker can delete arbitrary files from the device.CitationSecureList - ViceLeaker 2019 |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | ViceLeaker was embedded into legitimate applications using Smali injection.CitationSecureList - ViceLeaker 2019 |
| Mobile | T1512 | Video Capture | ViceLeaker can take photos from both the front and back cameras.CitationSecureList - ViceLeaker 2019 |
| Mobile | T1437.001 | Web Protocols Sub-technique | ViceLeaker uses HTTP requests for C2 communication.CitationSecureList - ViceLeaker 2019CitationBitdefender - Triout 2018 |
| Mobile | T1533 | Data from Local System | ViceLeaker can copy arbitrary files from the device to the C2 server, can exfiltrate browsing history, can exfiltrate the SD card structure, and can exfiltrate pictures as the user takes them.CitationSecureList - ViceLeaker 2019CitationBitdefender - Triout 2018 |
| Mobile | T1628.001 | Suppress Application Icon Sub-technique | ViceLeaker includes code to hide its icon, but the function does not appear to be called in an analyzed version of the software.CitationBitdefender - Triout 2018 |
| Mobile | T1429 | Audio Capture | ViceLeaker can record audio from the device’s microphone and can record phone calls together with the caller ID.CitationSecureList - ViceLeaker 2019CitationBitdefender - Triout 2018 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 26b96ae1d2b0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SecureList - ViceLeaker 2019
GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.
Open source URL -
[2]
Bitdefender - Triout 2018
L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.
Open source URL -
[3]
Triout
(Citation: SecureList - ViceLeaker 2019)
-
[4]
ViceLeaker
(Citation: SecureList - ViceLeaker 2019)
-
[5]
mitre-attack S0418Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.