Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.
This can be accomplished by requesting the RECEIVE_SMS
or SEND_SMS
permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the SMS_DELIVER
broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device.[1][2]
ID | Name | Description |
---|---|---|
S0422 | Anubis | |
S0540 | Asacub | |
S0655 | BusyGasper |
BusyGasper can send an SMS message after the device boots, messages containing logs, messages to adversary-specified numbers with custom content, and can delete all SMS messages on the device.[5] |
S0480 | Cerberus | |
S0425 | Corona Updates |
Corona Updates can send SMS messages.[7] |
S0301 | Dendroid | |
S0505 | Desert Scorpion |
Desert Scorpion can send SMS messages.[9] |
S0522 | Exobot | |
S0509 | FakeSpy | |
S0423 | Ginp | |
S0551 | GoldenEagle |
GoldenEagle has sent messages to an attacker-controlled number.[13] |
S0536 | GPlayed | |
S0485 | Mandrake |
Mandrake can block, forward, hide, and send SMS messages.[15] |
S0539 | Red Alert 2.0 |
Red Alert 2.0 can send SMS messages.[16] |
S0411 | Rotexy |
Rotexy can automatically reply to SMS messages, and optionally delete them.[17] |
S0549 | SilkBean | |
S0328 | Stealth Mango |
Stealth Mango deletes incoming SMS messages from specified numbers, including those that contain particular strings.[18] |
S0545 | TERRACOTTA |
TERRACOTTA can send SMS messages.[19] |
S0558 | Tiktok Pro |
Tiktok Pro can send SMS messages.[20] |
S0427 | TrickMo | |
S0489 | WolfRAT |
ID | Mitigation | Description |
---|---|---|
M1005 | Application Vetting |
Application vetting services could provide further scrutiny to applications that request SMS-based permissions. |
M1011 | User Guidance |
Users should be encouraged to be very careful with what applications they grant SMS access to. Further, users should not change their default SMS handler to applications they do not recognize.[1] |
Users can view the default SMS handler in system settings.