S0529: CarbonSteal
CarbonSteal is one of a family of four surveillanceware tools that share a common C2 infrastructure. CarbonSteal primarily deals with audio surveillance. [1]
Analyst context for executives and security teams
CarbonSteal is an Android surveillanceware tool described by MITRE as primarily focused on audio surveillance and as part of a family sharing common command-and-control infrastructure. For leaders, the material issue is not just malware on a phone: it is the potential exposure of conversations, location, SMS, calls, and application data from mobile devices that may travel with executives, employees, or sensitive operations.
Executive priority
Prioritize CarbonSteal as a mobile surveillance risk affecting privacy, incident scoping, legal/compliance evidence, and executive/operational security. Leaders should ask whether Android devices are inventoried, whether high-risk permissions such as microphone, location, SMS, and call control are governed, and whether mobile incident response can preserve evidence from managed and BYOD devices.
Technical view
ATT&CK provides no official detection text, so validation should be relationship-driven. SOC and IR teams should test Android visibility for obfuscated files, runtime code download, native API/NDK use, installed software discovery, file and directory discovery, system and network discovery, audio capture, location tracking, SMS collection, call control, file deletion, out-of-band communications, asymmetric cryptography, and legitimate-name/location masquerading. Coverage depends heavily on MDM/UEM, mobile threat defense, application vetting, network metadata, and lawful device-forensic access.
Likely telemetry
- Android device inventory and managed/BYOD ownership status
- Installed application package names, signing certificates, icons, install sources, and update history
- Application manifest permissions, especially RECORD_AUDIO, location, SMS, and phone/call-related permissions
- Runtime indicators such as downloaded code, native libraries, and dynamically loaded components
- Mobile network, DNS, TLS, and destination metadata for suspected C2 communications
Detection direction
- Do not rely on static app-store or APK checks alone; the related Download New Code at Runtime behavior means post-install behavior matters.
- Tune for combinations of risk signals: microphone access plus background location, SMS or call permissions, discovery activity, encrypted outbound traffic, or suspicious package naming.
- Validate whether mobile tools can observe Android native code execution, dynamic loading, and obfuscated artifacts, as these are common blind spots.
- Use allowlists carefully for legitimate apps with sensitive permissions to reduce false positives while still detecting unexpected permission combinations or masquerading.
- Correlate mobile telemetry with network destinations and timing of audio, SMS, call, or location access when investigating suspected surveillance.
Mitigation priorities
- Establish Android device inventory and enforce baseline mobile management for corporate devices.
- Restrict or review high-risk permissions for microphone, location, SMS, and call control, especially for unmanaged or little-known apps.
- Use application vetting and mobile threat defense to assess obfuscation, dynamic code loading, native components, and suspicious naming.
- Separate sensitive meetings and operations from unmanaged mobile devices where policy requires stronger assurance.
- Prepare mobile IR procedures for evidence preservation, user consent/legal handling, device isolation, and coordinated network review.
Analyst notes and limits
The strongest ATT&CK-supported business framing is mobile surveillance, especially audio capture, with related behaviors showing broader discovery, collection, evasion, C2 protection, and masquerading patterns. Because tactics and official detection are not specified, this take emphasizes validation questions rather than asserting coverage.
This summary uses only the supplied MITRE fields, external references, and relationships. ATT&CK does not provide official detection guidance for CarbonSteal here, and local conclusions require device telemetry, application samples, network evidence, and legal authority for mobile data review.
CarbonSteal
CarbonSteal is one of a family of four surveillanceware tools that share a common C2 infrastructure. CarbonSteal primarily deals with audio surveillance. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1521.002 | Asymmetric Cryptography Sub-technique | CarbonSteal has performed rudimentary SSL certificate validation to verify C2 server authenticity before establishing a SSL connection.CitationLookout Uyghur Campaign |
| Mobile | T1418 | Software Discovery | CarbonSteal has looked for specific applications, such as MiCode.CitationLookout Uyghur Campaign |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | CarbonSteal has impersonated several apps, including official Google apps, chat apps, VPN apps, and popular games.CitationLookout Uyghur Campaign |
| Mobile | T1575 | Native API | CarbonSteal has seen native libraries used in some reported samples CitationLookout Uyghur Campaign |
| Mobile | T1616 | Call Control | CarbonSteal can silently accept an incoming phone call.CitationLookout Uyghur Campaign |
| Mobile | T1407 | Download New Code at Runtime | CarbonSteal can dynamically load additional functionality.CitationLookout Uyghur Campaign |
| Mobile | T1426 | System Information Discovery | CarbonSteal has gathered device metadata, including model, manufacturer, SD card size, disk usage, memory, CPU, and serial number.CitationLookout Uyghur Campaign |
| Mobile | T1422 | System Network Configuration Discovery | CarbonSteal has collected device network information, including 16-bit GSM Cell Identity, 16-bit Location Area Code, Mobile Country Code (MCC), and Mobile Network Code (MNC). CarbonSteal has also called `netcfg` to get stats.CitationLookout Uyghur Campaign |
| Mobile | T1430 | Location Tracking | CarbonSteal can access the device’s location and track the device over time.CitationLookout Uyghur Campaign |
| Mobile | T1429 | Audio Capture | CarbonSteal can remotely capture device audio.CitationLookout Uyghur Campaign |
| Mobile | T1420 | File and Directory Discovery | CarbonSteal has searched device storage for various files, including .amr files (audio recordings) and superuser binaries.CitationLookout Uyghur Campaign |
| Mobile | T1409 | Stored Application Data | CarbonSteal can collect notes and data from the MiCode app.CitationLookout Uyghur Campaign |
| Mobile | T1406 | Obfuscated Files or Information | CarbonSteal has used incorrect file extensions and encryption to hide most of its assets, including secondary APKs, configuration files, and JAR or DEX files.CitationLookout Uyghur Campaign |
| Mobile | T1636.004 | SMS Messages Sub-technique | CarbonSteal can access the device’s SMS and MMS messages.CitationLookout Uyghur Campaign |
| Mobile | T1644 | Out of Band Data | CarbonSteal has used specially crafted SMS messages to control the target device.CitationLookout Uyghur Campaign |
| Mobile | T1422.001 | Internet Connection Discovery Sub-technique | CarbonSteal has gathered device metadata, including model, manufacturer, SD card size, disk usage, memory, CPU, and serial number.CitationLookout Uyghur Campaign |
| Mobile | T1630.002 | File Deletion Sub-technique | CarbonSteal has deleted call log entries coming from known C2 sources.CitationLookout Uyghur Campaign |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 0954875c1d43… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Lookout Uyghur Campaign
A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.
Open source URL -
[2]
mitre-attack S0529Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.