S0507: eSurv
Analyst context for executives and security teams
eSurv is mobile surveillanceware for Android and iOS associated in ATT&CK with collection, location tracking, audio capture, local data access, encrypted command-and-control, runtime code download, and exfiltration over C2. For leaders, the practical issue is not just malware removal; it is whether mobile devices used by executives, field staff, or sensitive roles could become collection platforms for conversations, contacts, location, and stored data.
Executive priority
Prioritize eSurv-relevant controls where mobile devices carry sensitive communications, regulated data, operational access, or executive/field-location exposure. Key decisions include whether mobile device management, app vetting, permission governance, mobile threat defense telemetry, and incident response playbooks can prove visibility into microphone, location, contacts, local data access, dynamic code loading, and suspicious encrypted network behavior. This object is also useful for audit and risk discussions because it maps mobile surveillance behavior to concrete evidence classes defenders should be able to collect.
Technical view
ATT&CK does not provide a dedicated detection section for eSurv, so SOC and IR teams should validate coverage through the related techniques: Download New Code at Runtime, System Information Discovery, Audio Capture, Location Tracking, Asymmetric Cryptography, SSL Pinning, Data from Local System, Geofencing, Contact List, and Exfiltration Over C2 Channel. On Android and iOS, focus on mobile app inventory, requested and granted permissions, runtime behavior, network destinations and TLS characteristics, C2-like recurring communications, and evidence of sensitive data access. Treat SSL pinning and asymmetric cryptography as analysis obstacles as well as behavioral signals, since they can limit traffic inspection and complicate triage.
Likely telemetry
- Mobile device inventory and installed application inventory for Android and iOS
- Application permission requests and grants, especially microphone, location, contacts, storage, and background location where available
- Mobile threat defense or EDR-style behavioral events for dynamic code loading and suspicious runtime activity
- Network telemetry for recurring outbound connections, encrypted C2-like traffic, and unusual mobile app destinations
- MDM/UEM compliance state, device posture, jailbreak/root indicators where available
Detection direction
- Validate that mobile security tooling can alert on risky permission combinations, not only known-bad application names.
- Review whether app-vetting processes can identify applications that download new code after installation, because static pre-publication checks may miss this behavior.
- Tune detections for sensitive permission use in context: microphone, contacts, location, and local storage access can be legitimate, so combine permission data with app reputation, install source, network behavior, and user role.
- Account for blind spots created by SSL pinning and application-layer encryption; lack of decrypted content should not be interpreted as lack of risk.
- Use relationship-driven hunting: location access plus geofencing behavior, dynamic code download, and exfiltration over a persistent channel should raise priority even when individual signals are ambiguous.
Mitigation priorities
- Start with mobile asset governance: know which Android and iOS devices are allowed to access sensitive business services.
- Enforce application source, app approval, and mobile device compliance policies appropriate to user risk and data sensitivity.
- Limit and periodically review high-risk mobile permissions such as microphone, location, contacts, storage, and background location.
- Deploy or validate mobile threat detection and MDM/UEM controls capable of observing risky app behavior, device posture, and suspicious network activity.
- Prepare IR procedures for suspected mobile surveillance, including device isolation, preservation, user notification paths, credential review, and legal/privacy coordination.
Analyst notes and limits
The strongest defensive value comes from treating eSurv as a mobile surveillance behavior cluster rather than a single malware name. Its ATT&CK relationships emphasize collection from the device and environment, location-aware behavior, protected C2, and data exfiltration. These behaviors affect executive protection, privacy, regulated-data handling, and field operations where mobile devices bridge cyber and physical risk.
MITRE provides no official detection text, no aliases, and no tactics for this object in the supplied fields. The summary relies on the official description, listed Android and iOS platforms, the Lookout external reference, and the supplied technique relationships. Local device fleet composition, mobile telemetry availability, app inventory, and legal authority for mobile forensics are required to determine actual exposure or coverage.
eSurv
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1627.001 | Geofencing Sub-technique | |
| Mobile | T1429 | Audio Capture | |
| Mobile | T1521.002 | Asymmetric Cryptography Sub-technique | |
| Mobile | T1636.003 | Contact List Sub-technique | |
| Mobile | T1426 | System Information Discovery | |
| Mobile | T1533 | Data from Local System | |
| Mobile | T1430 | Location Tracking | |
| Mobile | T1521.003 | SSL Pinning Sub-technique | |
| Mobile | T1646 | Exfiltration Over C2 Channel | |
| Mobile | T1407 | Download New Code at Runtime |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | f94ae80d720b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Lookout eSurv
A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.
Open source URL -
[2]
mitre-attack S0507Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.