T1437.001: Web Protocols

Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. [1]

GPlayed is an Android trojan with a broad range of capabilities.[1]

FlyTrap is an Android trojan, first detected in March 2021, that uses social engineering tactics to compromise Facebook accounts. FlyTrap was initially detected through infected apps on the Google Play store, and is believed to have impacted over 10,000 victims across at least 140 countries.[1]

First observed in 2018, LightSpy is a modular malware family that initially targeted iOS devices in Southern Asia before expanding to Android and macOS platforms. It consists of a downloader, a main executable that manages network communications, and functionality-specific modules, typically implemented as `.dylib` files (iOS, macOS) or `.apk` files (Android). LightSpy can collect VoIP call recordings, SMS messages, and credential stores, which are then exfiltrated to a command and control (C2) server.[1]

EventBot is an Android banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications.[1] EventBot was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.[1]

RatMilad is an Android remote access tool (RAT) with spyware functionality that has been used to target enterprise mobile devices in the Middle East since at least 2021. Variants of RatMilad have been disguised as VPN applications and a fake app named NumRent. Upon installation, RatMilad employs multiple Collection techniques to collect sensitive information before uploading the collected data to its command and control (C2) server. [1]

AhRat is an Android remote access tool based on the open-source AhMyth remote access tool. AhRat initially spread in August 2022 on the Google Play Store via an update containing malicious code to the previously benign application, “iRecorder – Screen Recorder,” which itself was released in September 2021.[1]

CHEMISTGAMES is a modular backdoor that has been deployed by Sandworm Team.[1]

TrickMo a 2FA bypass mobile banking trojan, most likely being distributed by TrickBot. TrickMo has been primarily targeting users located in Germany.[1]

TrickMo is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.[1]

Trojan-SMS.AndroidOS.OpFake.a is Android malware. [1]

Trojan-SMS.AndroidOS.Agent.ao is Android malware. [1]

Riltok is banking malware that uses phishing popups to collect user credentials.[1]

Chameleon is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, Chameleon has been observed targeting users in Australia and Poland by masquerading as official applications. A new variant of Chameleon has expanded its targets to include Android users in the United Kingdom and Italy.[1][2]

C0033 was a PROMETHIUM campaign during which they used StrongPity to target Android users. C0033 was the first publicly documented mobile campaign for PROMETHIUM, who previously used Windows-based techniques.[1]