Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0550: DoubleAgent

DoubleAgent is a family of RAT malware dating back to 2013, known to target groups with contentious relationships with the Chinese government.[1]

MobileS0550MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DoubleAgent is an Android RAT family documented by MITRE as dating back to 2013 and associated in the supplied source context with mobile surveillance activity against groups with contentious relationships with the Chinese government. For defenders, its value is not a single indicator but the behavior pattern: privilege escalation, hidden or misleading app presence, runtime code download, local data collection, audio/contact/SMS/call-log access, shell execution, and application-layer command traffic. That makes it a useful test case for whether mobile security controls can see beyond app reputation and into risky behavior on managed Android devices.

Executive priority

Treat this as a mobile surveillance and data-loss readiness issue. Leaders should ask whether Android devices used by executives, legal, communications, field teams, or high-risk personnel are enrolled, patched, monitored, and governed with evidence that sensitive permissions, hidden apps, runtime code loading, and suspicious network behavior can be investigated. The ATT&CK entry does not provide impact or active-exploitation claims, so prioritization should be based on local exposure: Android population, sensitivity of mobile data, BYOD policy, high-risk user groups, and incident response ability to preserve and analyze mobile evidence.

Technical view

MITRE provides no detection text for DoubleAgent, so SOC and IR teams should validate coverage against the related Android behaviors: exploitation for privilege escalation, obfuscated files, runtime code download, stored application data access, software/file/system discovery, audio capture, application-layer protocol communications, local data collection, Unix shell use, suppressed application icon, file deletion, call log/contact/SMS collection, client software binary modification, and matching legitimate names or locations. Practical validation should focus on whether managed Android telemetry can show app inventory changes, permission grants, package metadata, hidden launcher activity, dynamic code loading, suspicious file access, shell execution indicators, sensitive content provider access, and network connections by app/package.

Likely telemetry

  • Android device inventory and MDM/UEM enrollment status
  • Installed application/package names, signing information, icons, launcher visibility, and install/update timestamps
  • Application permission requests and grants, especially microphone, contacts, SMS, call log, storage, and device administration where available
  • Mobile endpoint security or behavioral telemetry for obfuscation, runtime code download, shell command use, file deletion, and suspicious binary modification
  • OS version, patch level, device model, root/jailbreak or privilege-escalation indicators

Detection direction

  • Because MITRE lists no official detection guidance, map detections to the related techniques rather than to the malware name alone.
  • Validate whether mobile tooling detects applications that suppress launcher icons or mimic legitimate app names, package names, icons, or file locations.
  • Tune for combinations of sensitive permissions plus suspicious behavior, such as contacts/SMS/call-log access with runtime code download, obfuscated payloads, or unusual application-layer communications.
  • Review blind spots in BYOD and partially managed devices, where permission, package, network, and file telemetry may be limited.
  • Correlate OS version and patch posture with privilege-escalation risk; older or unpatched Android devices may materially change investigation priority.

Mitigation priorities

  • Prioritize Android patch management and removal or isolation of unsupported devices to reduce privilege-escalation opportunity.
  • Require managed installation sources, app vetting, and inventory control for Android devices handling sensitive business data.
  • Restrict and review high-risk permissions such as microphone, contacts, SMS, call log, storage, and device administration based on business need.
  • Use mobile threat defense, MDM/UEM, or equivalent controls to surface hidden apps, suspicious package identity, runtime code loading, rooting, and risky network behavior where supported.
  • Define mobile IR procedures before an incident, including device containment, evidence preservation, user notification decision points, and legal/privacy constraints.
Analyst notes and limits

This take is based on the supplied MITRE ATT&CK malware object for DoubleAgent, its Android platform designation, the official description, the Lookout external reference, and the listed 'uses' relationships. The most useful defensive interpretation is behavioral: DoubleAgent is represented as a RAT with relationships spanning discovery, collection, evasion, execution, privilege escalation, and data access behaviors on mobile devices.

ATT&CK provides no official detection text, no aliases, no specified tactics, and no supplied indicators of compromise here. The relationships identify behaviors used by this malware, but they do not prove current activity, customer exposure, or detection coverage in any environment. Local mobile management, endpoint, network, and IR telemetry are required to determine practical risk and coverage.

Official MITRE ATT&CK definition

DoubleAgent

DoubleAgent is a family of RAT malware dating back to 2013, known to target groups with contentious relationships with the Chinese government.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

18 rows
Domain ID Name Relationship / procedure
Mobile T1628.001 Suppress Application Icon Sub-technique

DoubleAgent has hidden its app icon.CitationLookout Uyghur Campaign
Mobile T1636.003 Contact List Sub-technique

DoubleAgent has accessed the contact list.CitationLookout Uyghur Campaign
Mobile T1636.004 SMS Messages Sub-technique

DoubleAgent has captured SMS and MMS messages.CitationLookout Uyghur Campaign
Mobile T1645 Compromise Client Software Binary

DoubleAgent has used exploits to root devices and install additional malware on the system partition.CitationLookout Uyghur Campaign
Mobile T1623.001 Unix Shell Sub-technique

DoubleAgent can run arbitrary shell commands.CitationLookout Uyghur Campaign
Mobile T1429 Audio Capture

DoubleAgent has captured audio and can record phone calls.CitationLookout Uyghur Campaign
Mobile T1407 Download New Code at Runtime

DoubleAgent has downloaded additional code to root devices, such as TowelRoot.CitationLookout Uyghur Campaign
Mobile T1636.002 Call Log Sub-technique

DoubleAgent has accessed the call logs.CitationLookout Uyghur Campaign
Mobile T1630.002 File Deletion Sub-technique

DoubleAgent has deleted or renamed specific files.CitationLookout Uyghur Campaign
Mobile T1533 Data from Local System

DoubleAgent has collected files from the infected device.CitationLookout Uyghur Campaign
Mobile T1437 Application Layer Protocol

DoubleAgent has used both FTP and TCP sockets for data exfiltration.CitationLookout Uyghur Campaign
Mobile T1404 Exploitation for Privilege Escalation

DoubleAgent has used exploit tools to gain root, such as TowelRoot.CitationLookout Uyghur Campaign
Mobile T1406 Obfuscated Files or Information

DoubleAgent has used an AES encrypted file in the assets folder with an unsuspecting name (e.g. ‘GoogleMusic.png’) for holding configuration and C2 information.CitationLookout Uyghur Campaign
Mobile T1409 Stored Application Data

DoubleAgent has accessed browser history, as well as the files for 15 other apps.CitationLookout Uyghur Campaign
Mobile T1420 File and Directory Discovery

DoubleAgent has searched for specific existing data directories, including the Gmail app, Dropbox app, Pictures, and thumbnails.CitationLookout Uyghur Campaign
Mobile T1418 Software Discovery

DoubleAgent has accessed the list of installed apps.CitationLookout Uyghur Campaign
Mobile T1655.001 Match Legitimate Name or Location Sub-technique

DoubleAgent has been embedded into trojanized versions of applications such as Voxer, TalkBox, and Amaq News.CitationLookout Uyghur Campaign
Mobile T1426 System Information Discovery

DoubleAgent has accessed common system information.CitationLookout Uyghur Campaign
Relationship explorer

All related ATT&CK context

uses · Technique T1628.001: Suppress Application Icon Mobile uses · Technique T1636.003: Contact List Mobile uses · Technique T1636.004: SMS Messages Mobile uses · Technique T1645: Compromise Client Software Binary Mobile uses · Technique T1623.001: Unix Shell Mobile uses · Technique T1429: Audio Capture Mobile uses · Technique T1407: Download New Code at Runtime Mobile uses · Technique T1636.002: Call Log Mobile uses · Technique T1630.002: File Deletion Mobile uses · Technique T1533: Data from Local System Mobile uses · Technique T1437: Application Layer Protocol Mobile uses · Technique T1404: Exploitation for Privilege Escalation Mobile uses · Technique T1406: Obfuscated Files or Information Mobile uses · Technique T1409: Stored Application Data Mobile uses · Technique T1420: File and Directory Discovery Mobile uses · Technique T1418: Software Discovery Mobile uses · Technique T1655.001: Match Legitimate Name or Location Mobile uses · Technique T1426: System Information Discovery Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
efc50187bd2dd3d5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle efc50187bd2d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Lookout Uyghur Campaign

    A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.

    Open source URL
  2. [2]
    mitre-attack S0550
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use