S0549: SilkBean
Analyst context for executives and security teams
SilkBean matters because it represents Android surveillanceware with broad remote access capability, not just a single malicious action. The ATT&CK relationships show behaviors that can expose sensitive mobile data, location, contacts, SMS messages, call logs, camera video, and local files while using obfuscation, runtime code download, web protocols, and cryptography to complicate analysis and monitoring.
Executive priority
For leaders, the decision value is mobile risk governance: confirm whether Android devices that handle sensitive business, legal, executive, activist, or regulated data are covered by mobile security policy, app vetting, telemetry, and incident response playbooks. Because ATT&CK provides no official detection guidance for SilkBean, priority should be on validating foundational controls and evidence collection rather than assuming existing SOC tooling will see it.
Technical view
SOC, detection, and IR teams should treat SilkBean as an Android malware profile associated with multiple mobile techniques: obfuscated files or information, downloading code at runtime, file and directory discovery, location tracking, web-protocol communications, video capture, asymmetric cryptography, local data collection, SMS control, file deletion, code-signing policy modification, call log/contact/SMS collection, and masquerading via legitimate-looking names or locations. Validate whether mobile telemetry can show suspicious permission use, dynamic code loading, unusual app network activity over HTTP/HTTPS, access to content providers such as SMS, contacts, and call logs, camera/location access, file enumeration, and deletion activity.
Likely telemetry
- Android application inventory, package names, signing information, install source, and update history
- Mobile device management or enterprise mobility management compliance state, including sideloading and code-signing policy posture
- Android permission grants and runtime permission changes for location, SMS, contacts, call logs, camera, and storage
- Network metadata for mobile apps using web protocols, including destination domains/IPs, frequency, volume, and TLS/HTTP characteristics where available
- Mobile threat defense or endpoint telemetry for dynamic code loading, obfuscated payloads, suspicious files, and masquerading app names/icons
Detection direction
- Do not rely on a SilkBean-specific analytic alone; ATT&CK does not provide official detection text for this object.
- Prioritize behavior-based validation around the related techniques: runtime code download, obfuscation, sensitive permission combinations, local data discovery, SMS/control activity, and web-protocol command traffic.
- Tune for context: legitimate enterprise apps may use location, camera, contacts, or web protocols, so detections should combine permission use, app reputation, install source, package/signing anomalies, network behavior, and user/device risk.
- Check blind spots in bring-your-own-device, unmanaged Android devices, sideloaded apps, encrypted traffic, and mobile apps that are not visible to standard endpoint or network monitoring.
- Use relationship-driven threat hunting: look for Android apps that both collect sensitive local data and communicate externally using web protocols, especially if they also download code at runtime or present as a trusted-looking app.
Mitigation priorities
- Establish or verify Android mobile device management controls for enrolled devices, including app inventory, policy compliance, and restrictions on untrusted app installation where appropriate.
- Require app vetting and permission review for applications installed on devices that access sensitive organizational data.
- Limit exposure of sensitive business data on mobile devices through least privilege, containerization, and access controls where supported by the environment.
- Validate mobile incident response readiness: acquisition process, user consent/legal workflow, device isolation steps, evidence preservation, and escalation criteria.
- Harden identity and cloud access from mobile devices with conditional access signals, device compliance checks, and rapid credential/session response procedures after suspected compromise.
Analyst notes and limits
The supplied ATT&CK object identifies SilkBean as Android surveillanceware with comprehensive RAT functionality and notes reported targeting of the Uyghur ethnic group via the cited Lookout report. The most useful defensive interpretation comes from the relationships to mobile techniques, which show the kinds of data access, evasion, command communication, and device manipulation defenders should validate.
MITRE provides no official detection text, no aliases, no labels, and no tactics for this object in the supplied fields. This take does not assert current activity, attribution beyond the supplied description/reference, customer exposure, or guaranteed detection. Local mobile management coverage, logging depth, legal constraints, and device ownership model will determine what can actually be observed or enforced.
SilkBean
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1636.003 | Contact List Sub-technique | SilkBean can access device contacts.CitationLookout Uyghur Campaign |
| Mobile | T1406 | Obfuscated Files or Information | SilkBean has hidden malicious functionality in a second stage file and has encrypted C2 server information.CitationLookout Uyghur Campaign |
| Mobile | T1632.001 | Code Signing Policy Modification Sub-technique | SilkBean has attempted to trick users into enabling installation of applications from unknown sources.CitationLookout Uyghur Campaign |
| Mobile | T1582 | SMS Control | SilkBean can send SMS messages.CitationLookout Uyghur Campaign |
| Mobile | T1437.001 | Web Protocols Sub-technique | SilkBean has used HTTPS for C2 communication.CitationLookout Uyghur Campaign |
| Mobile | T1420 | File and Directory Discovery | SilkBean can get file lists on the SD card.CitationLookout Uyghur Campaign |
| Mobile | T1512 | Video Capture | SilkBean can access the camera on the device.CitationLookout Uyghur Campaign |
| Mobile | T1630.002 | File Deletion Sub-technique | SilkBean can delete various piece of device data, such as contacts, call logs, applications, SMS messages, email, plugins, and files in external storage.CitationLookout Uyghur Campaign |
| Mobile | T1636.004 | SMS Messages Sub-technique | SilkBean can access SMS messages.CitationLookout Uyghur Campaign |
| Mobile | T1636.002 | Call Log Sub-technique | SilkBean can access call logs.CitationLookout Uyghur Campaign |
| Mobile | T1407 | Download New Code at Runtime | SilkBean can install new applications which are obtained from the C2 server.CitationLookout Uyghur Campaign |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | SilkBean has been incorporated into trojanized applications, including Uyghur/Arabic focused keyboards, alphabets, and plugins, as well as official-looking Google applications.CitationLookout Uyghur Campaign |
| Mobile | T1521.002 | Asymmetric Cryptography Sub-technique | SilkBean has used HTTPS for C2 communication.CitationLookout Uyghur Campaign |
| Mobile | T1430 | Location Tracking | SilkBean has access to the device’s location.CitationLookout Uyghur Campaign |
| Mobile | T1533 | Data from Local System | SilkBean can retrieve files from external storage and can collect browser data.CitationLookout Uyghur Campaign |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | dc0a7f61c681… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Lookout Uyghur Campaign
A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.
Open source URL -
[2]
mitre-attack S0549Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.