S1128: HilalRAT
Analyst context for executives and security teams
HilalRAT matters because it represents remote access-capable Android malware with privacy and operational security implications: the supplied ATT&CK data says it can collect device location and call-related data and activate camera and microphone functions. For organizations with executives, field staff, journalists, activists, or mobile-heavy operations, this shifts mobile security from “device hygiene” to business risk involving sensitive conversations, contacts, location exposure, and incident response readiness.
Executive priority
Treat this as a mobile risk and evidence-readiness issue, not just a malware name. Leaders should ask whether Android devices that handle sensitive work are enrolled in managed controls, whether microphone/camera/location/SMS/contact access is governed and auditable, and whether incident response can preserve and review mobile evidence. Priority is highest where compromised phones could expose executive movement, privileged communications, contact networks, or regulated personal data.
Technical view
ATT&CK lists HilalRAT for Android and relates it to collection-oriented mobile techniques: Stored Application Data, Audio Capture, Location Tracking, Video Capture, Contact List, and SMS Messages. Because no official ATT&CK detection guidance is provided, SOC and IR teams should validate whether their mobile telemetry can show suspicious permission use, application inventory changes, access to sensitive Android content providers, location access patterns, camera/microphone activation indicators where available, and network activity from untrusted or unmanaged apps. Relationship context also notes use by UNC788, but local detections should focus on behavior and device evidence rather than assuming attribution.
Likely telemetry
- Android application inventory and installation source records
- Mobile device management or enterprise mobility management compliance state
- Application permission grants for microphone, camera, location, contacts, SMS, and storage
- Android security, privacy, and audit events where available
- Network connections from mobile applications, especially from unmanaged or suspicious apps
Detection direction
- Validate that mobile monitoring covers Android devices used for sensitive business activity; unmanaged personal devices may be a major blind spot.
- Alerting should prioritize unusual combinations of sensitive permissions, such as microphone, camera, location, contacts, SMS, and storage access in apps without a clear business need.
- Tune detections around behavior: access to Contacts or SMS content providers, persistent/background location access, and suspicious use of camera or microphone APIs where telemetry permits.
- Correlate mobile app inventory, permissions, network destinations, and user/device risk rather than relying on malware family names alone.
- Expect false positives from legitimate communications, navigation, recording, and productivity apps; require baselines and business context before escalation.
Mitigation priorities
- Ensure Android devices used for business are enrolled in managed mobile controls with enforceable app, update, and compliance policies.
- Restrict or review app permissions for microphone, camera, location, contacts, SMS, and storage based on business need.
- Reduce exposure from unmanaged app installation sources and maintain an approved application process for sensitive users.
- Prepare mobile incident response procedures for evidence preservation, device isolation, application triage, and user notification workflows.
- For high-risk roles, consider stricter mobile hardening, separation of personal and business use, and periodic permission/app reviews.
Analyst notes and limits
The supplied ATT&CK object identifies HilalRAT as Android malware developed and used by UNC788 and cites Meta’s 2022 adversarial threat report. The practical defensive value is in validating mobile collection coverage across the related techniques: stored app data, audio, location, video, contacts, and SMS.
ATT&CK provides no official detection text, no tactics for this object, no aliases, and only Android as the platform. This take does not assert active exploitation, customer exposure, or guaranteed detection. Local device management, mobile telemetry, and forensic access determine actual coverage.
HilalRAT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1636.003 | Contact List Sub-technique | HilalRAT can retrieve a device’s contact list.CitationMeta Adversarial Threat Report 2022 |
| Mobile | T1409 | Stored Application Data | HilalRAT can access and retrieve files on a device.CitationMeta Adversarial Threat Report 2022 |
| Mobile | T1429 | Audio Capture | HilalRAT can activate a device’s microphone.CitationMeta Adversarial Threat Report 2022 |
| Mobile | T1636.004 | SMS Messages Sub-technique | HilalRAT can retrieve a device’s SMS messages.CitationMeta Adversarial Threat Report 2022 |
| Mobile | T1430 | Location Tracking | HilalRAT can access a device’s location.CitationMeta Adversarial Threat Report 2022 |
| Mobile | T1512 | Video Capture | HilalRAT can activate a device’s camera.CitationMeta Adversarial Threat Report 2022 |
Groups, software, and campaigns
G1029: UNC788
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 23f5d6e01073… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Meta Adversarial Threat Report 2022
Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.
Open source URL -
[2]
mitre-attack S1128Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.