S0551: GoldenEagle
GoldenEagle is a piece of Android malware that has been used in targeting of Uyghurs, Muslims, Tibetans, individuals in Turkey, and individuals in China. Samples have been found as early as 2012.[1]
Analyst context for executives and security teams
GoldenEagle matters because ATT&CK describes it as Android malware associated with surveillance-style mobile behaviors: discovering device/app data, collecting local content, call/SMS/contact data, audio, video, screen, and location information, then communicating over web protocols and exfiltrating over C2. For leaders, this is less about one malware name and more about whether the organization can govern and investigate high-risk mobile devices used by executives, travelers, journalists, field staff, or exposed communities.
Executive priority
Prioritize this as a mobile privacy, identity, and operational resilience issue where sensitive communications or physical location could create business, legal, or personal safety risk. Ask whether mobile devices are in compliance scope, whether app permissions and sideloading/code-signing controls are enforceable, and whether incident responders can collect enough mobile telemetry to prove or disprove compromise. Because MITRE provides no official detection text or tactics for this object, coverage should be validated through related techniques rather than assumed from the malware name.
Technical view
SOC and IR teams should validate controls against the related mobile techniques: runtime code download, software/file/system discovery, stored application and local data access, microphone/camera/screen/location collection, SMS/call log/contact collection, SMS control, masquerading as legitimate names or locations, web-protocol C2, and exfiltration over the C2 channel. The object description identifies GoldenEagle as Android malware; several related techniques also list iOS, but platform-specific conclusions should be based on local device fleet and telemetry. Detection engineering should focus on suspicious permission combinations, unexpected dynamic code loading, anomalous app/package identity, unusual access to content providers or external storage, and network behavior inconsistent with the app’s stated purpose.
Likely telemetry
- Mobile device inventory, OS version, patch level, and root/jailbreak/compliance state
- Installed application/package metadata, signing information, install source, app name/icon/package impersonation indicators
- Mobile app permission grants and changes, especially microphone, camera, location, SMS, contacts, call logs, storage, and screen capture-related access
- MDM/UEM policy events for sideloading, unknown sources, code-signing policy changes, and device compliance violations
- Mobile threat defense or endpoint telemetry for dynamic code loading and suspicious application behavior
Detection direction
- Map detections to the related techniques rather than relying on a GoldenEagle signature alone, because the ATT&CK object has no official detection guidance.
- Hunt for apps combining high-risk permissions with behaviors such as runtime code download, app/file/system discovery, and web-protocol communications.
- Tune for false positives from legitimate messaging, collaboration, navigation, camera, and device-management apps by comparing behavior against expected business purpose, publisher/signing metadata, and approved app inventory.
- Validate visibility into Android content-provider access patterns for SMS, contacts, and call logs where available; note that OS permissions and sandboxing may limit what is observable.
- Review mobile network egress for unusual or persistent web-protocol communications from rarely used or unapproved apps, especially when paired with sensitive data-access permissions.
Mitigation priorities
- Enforce mobile device management or equivalent governance for devices accessing enterprise data, including device compliance, OS update posture, and app inventory.
- Restrict sideloading and untrusted app installation where feasible; maintain controls around code-signing and approved application sources.
- Apply least-privilege permission governance for microphone, camera, location, SMS, contacts, call logs, storage, and screen capture capabilities.
- Use mobile app risk review for applications requesting sensitive permissions or capable of downloading code after installation.
- Segment and monitor mobile access to enterprise services so a compromised device does not automatically imply broad identity or data exposure.
Analyst notes and limits
The supplied ATT&CK record is sparse for operational detection: no tactics, no official detection text, no aliases, and no explicit platform field beyond the description calling it Android malware. The relationship set is valuable because it shows the behaviors defenders should validate: discovery, collection, masquerading, C2, exfiltration, and mobile permission abuse. The official description also notes targeting of Uyghurs, Muslims, Tibetans, individuals in Turkey, and individuals in China, with samples found as early as 2012, sourced to the Lookout report.
This take uses only the provided ATT&CK object, external references, and relationships. It does not establish current activity, attribution, prevalence, customer exposure, or guaranteed detection. Local conclusions require mobile fleet data, approved-app baselines, MDM/UEM visibility, network logs, and legally appropriate forensic collection.
GoldenEagle
GoldenEagle is a piece of Android malware that has been used in targeting of Uyghurs, Muslims, Tibetans, individuals in Turkey, and individuals in China. Samples have been found as early as 2012.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1646 | Exfiltration Over C2 Channel | GoldenEagle has exfiltrated data via both SMTP and HTTP.CitationLookout Uyghur Campaign |
| Mobile | T1420 | File and Directory Discovery | GoldenEagle has looked for .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files on external storage.CitationLookout Uyghur Campaign |
| Mobile | T1632.001 | Code Signing Policy Modification Sub-technique | GoldenEagle has modified or configured proxy information.CitationLookout Uyghur Campaign |
| Mobile | T1636.003 | Contact List Sub-technique | GoldenEagle has collected a list of contacts.CitationLookout Uyghur Campaign |
| Mobile | T1437.001 | Web Protocols Sub-technique | GoldenEagle has used HTTP POST requests for C2.CitationLookout Uyghur Campaign |
| Mobile | T1430 | Location Tracking | GoldenEagle has tracked location.CitationLookout Uyghur Campaign |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | GoldenEagle has inserted trojan functionality into legitimate apps, including popular apps within the Uyghur community, VPNs, instant messaging apps, social networking, games, adult media, and Google searching.CitationLookout Uyghur Campaign |
| Mobile | T1582 | SMS Control | GoldenEagle has sent messages to an attacker-controlled number.CitationLookout Uyghur Campaign |
| Mobile | T1512 | Video Capture | GoldenEagle has taken photos with the device camera.CitationLookout Uyghur Campaign |
| Mobile | T1429 | Audio Capture | GoldenEagle has recorded calls and environment audio in .amr format.CitationLookout Uyghur Campaign |
| Mobile | T1407 | Download New Code at Runtime | GoldenEagle can download new code to update itself.CitationLookout Uyghur Campaign |
| Mobile | T1426 | System Information Discovery | GoldenEagle has checked for system root.CitationLookout Uyghur Campaign |
| Mobile | T1636.004 | SMS Messages Sub-technique | GoldenEagle has collected SMS messages.CitationLookout Uyghur Campaign |
| Mobile | T1418 | Software Discovery | GoldenEagle has collected a list of installed application names.CitationLookout Uyghur Campaign |
| Mobile | T1513 | Screen Capture | GoldenEagle has taken screenshots.CitationLookout Uyghur Campaign |
| Mobile | T1409 | Stored Application Data | GoldenEagle has extracted messages from chat programs, such as WeChat.CitationLookout Uyghur Campaign |
| Mobile | T1636.002 | Call Log Sub-technique | GoldenEagle has collected call logs.CitationLookout Uyghur Campaign |
| Mobile | T1533 | Data from Local System | GoldenEagle has retrieved .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files from external storage.CitationLookout Uyghur Campaign |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d19b3e64416b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Lookout Uyghur Campaign
A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.
Open source URL -
[2]
mitre-attack S0551Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.