Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0506: ViperRAT

ViperRAT is sophisticated surveillanceware that has been in operation since at least 2015 and was used to target the Israeli Defense Force.[1]

MobileS0506MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

ViperRAT matters because it represents Android surveillanceware behavior centered on collecting sensitive information from mobile devices: audio, video, location, contacts, call logs, SMS messages, local data, and device/network details. For leaders, the practical issue is not just malware removal; it is whether mobile devices used by executives, field staff, administrators, or sensitive operations are governed, monitored, and investigated with enough evidence to prove what data may have been exposed.

Executive priority

Prioritize this as a mobile security and incident-readiness concern where Android devices can access sensitive communications, identity workflows, regulated data, or operational environments. Executives should ask whether mobile device management, application vetting, permission governance, and incident response procedures can identify suspicious apps that request high-risk permissions or download new code after installation. Because ATT&CK provides no official detection guidance for this object, coverage should be validated rather than assumed.

Technical view

SOC, mobile security, and IR teams should map ViperRAT-related coverage to Android telemetry and the associated ATT&CK techniques: runtime code download, network and system discovery, audio/video capture, location tracking, local data collection, call log/contact/SMS access, and masquerading as legitimate apps. Validation should focus on application manifests, granted permissions, app behavior after installation, network connectivity checks, dynamic code loading, access to Android content providers, and evidence of camera, microphone, location, or local storage access. Tactics are not specified in the supplied ATT&CK object, so defenders should use the technique relationships rather than tactic placement as the coverage anchor.

Likely telemetry

  • Android application inventory, package names, signing metadata, icons, install source, and update history
  • Application manifest permissions including microphone, camera, location, contacts, call log, SMS, storage, and background location where applicable
  • Mobile device management or enterprise mobility management compliance and app risk records
  • Runtime behavior showing downloaded code or dynamically loaded modules after installation
  • Network telemetry from mobile devices, including destination connections and connectivity checks

Detection direction

  • Validate whether mobile telemetry can see suspicious permission combinations, not just known malware names.
  • Review apps that mimic legitimate names, icons, package naming patterns, or install locations, especially when paired with sensitive permissions.
  • Tune detections for apps that download and execute code after installation, since this can evade static app-store or pre-install scanning.
  • Correlate network discovery and connectivity checks with sensitive data access behaviors to reduce false positives from benign apps.
  • Establish triage paths for apps accessing contacts, call logs, SMS, microphone, camera, location, or local files without a clear business need.

Mitigation priorities

  • Enforce managed Android enrollment and maintain an authoritative inventory of devices and installed applications.
  • Restrict installation sources and require application vetting for devices that handle sensitive business, executive, regulated, or operational data.
  • Use least-privilege permission governance for microphone, camera, location, contacts, call logs, SMS, and storage access.
  • Monitor or restrict apps capable of downloading new code at runtime where policy and platform controls allow.
  • Keep Android devices updated and remove unsupported devices from sensitive workflows where practical.
Analyst notes and limits

The supplied ATT&CK object identifies ViperRAT as Android surveillanceware operating since at least 2015 and used to target the Israeli Defense Force, with Lookout as the cited external source. The relationship set is rich and points to mobile collection, discovery, masquerading, and runtime code download behaviors, which are more useful for defensive validation than the malware name alone.

Official ATT&CK detection guidance and tactics are not provided for this object. This take is limited to the supplied STIX fields, external references, and relationship context. Local device management data, mobile telemetry depth, app inventory, and business use of Android devices are required to determine actual exposure and detection coverage.

Official MITRE ATT&CK definition

ViperRAT

ViperRAT is sophisticated surveillanceware that has been in operation since at least 2015 and was used to target the Israeli Defense Force.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

13 rows
Domain ID Name Relationship / procedure
Mobile T1407 Download New Code at Runtime

ViperRAT has been installed in two stages and can secretly install new applications.[1]
Mobile T1655.001 Match Legitimate Name or Location Sub-technique

ViperRAT’s second stage has masqueraded as “System Updates”, “Viber Update”, and “WhatsApp Update”.[1]
Mobile T1636.003 Contact List Sub-technique

ViperRAT can collect the device’s contact list.[1]
Mobile T1512 Video Capture

ViperRAT can take photos with the device camera.[1]
Mobile T1426 System Information Discovery

ViperRAT can collect system information, including brand, manufacturer, and serial number.[1]
Mobile T1430 Location Tracking

ViperRAT can track the device’s location.[1]
Mobile T1422 System Network Configuration Discovery

ViperRAT can collect network configuration data from the device, including phone number, SIM operator, and network operator.[1]
Mobile T1533 Data from Local System

ViperRAT can collect device photos, PDF documents, Office documents, browser history, and browser bookmarks.[1]
Mobile T1636.002 Call Log Sub-technique

ViperRAT can collect the device’s call log.[1]
Mobile T1421 System Network Connections Discovery

ViperRAT can collect the device’s cell tower information.[1]
Mobile T1422.001 Internet Connection Discovery Sub-technique

ViperRAT can collect network configuration data from the device, including phone number, SIM operator, and network operator.[1]
Mobile T1429 Audio Capture

ViperRAT can collect and record audio content.[1]
Mobile T1636.004 SMS Messages Sub-technique

ViperRAT can collect SMS messages.[1]
Relationship explorer

All related ATT&CK context

uses · Technique T1407: Download New Code at Runtime Mobile uses · Technique T1655.001: Match Legitimate Name or Location Mobile uses · Technique T1636.003: Contact List Mobile uses · Technique T1512: Video Capture Mobile uses · Technique T1426: System Information Discovery Mobile uses · Technique T1430: Location Tracking Mobile uses · Technique T1422: System Network Configuration Discovery Mobile uses · Technique T1533: Data from Local System Mobile uses · Technique T1636.002: Call Log Mobile uses · Technique T1421: System Network Connections Discovery Mobile uses · Technique T1422.001: Internet Connection Discovery Mobile uses · Technique T1429: Audio Capture Mobile uses · Technique T1636.004: SMS Messages Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c1988edfca8b5e64...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c1988edfca8b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Lookout ViperRAT

    M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.

    Open source URL
  2. [2]
    mitre-attack S0506
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use