DoubleAgent is an Android surveillanceware family used in targeted mobile espionage. The provided content states that it can capture SMS and MMS messages, collect files from infected devices, access call logs, access contact lists, and gather common system information. Infrastructure associated with DoubleAgent included the C2 subdomain apps.androidupdated[.]net. The malware has documented infrastructure overlap with the Android malware family BadBazaar, and some reporting noted that earlier attribution in related activity was based on this overlap. The content also places DoubleAgent among Android surveillanceware families used in 2015 to target the Uyghur ethnic minority. It is further linked by reporting and code-similarity context to China-aligned mobile surveillance activity alongside SilkBean, CarbonSteal, and GoldenEagle, and appears in broader reporting connected to APT15/GREF-linked targeting of Uyghur and other Turkic minority communities.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
However, upon further inspection, that attribution was based on network infrastructure overlap with another Android malware family called DoubleAgent, which Lookout had previously documented in 2020.
1 distinct technique documented for this family, organized by ATT&CK tactic.
AbstractEmu can collect files from or inspect the device’s filesystem. AhRat can find and exfiltrate files with certain extensions, such as .jpg, .mp4, .html, .docx, and .pdf. BOULDSPY can access browser history and bookmarks, and can list all files and folders on the device.
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
DoubleAgent is an Android surveillanceware used by APT15 for espionage and monitoring of targeted individuals.
Named malware referenced through overlapping C2 infrastructure with BADBAZAAR-linked domains.
Android surveillanceware family reported by Lookout (2020) that shares C2 infrastructure with BadBazaar, suggesting common management/operation.
Android malware family referenced in attribution analysis due to infrastructure overlap with BadBazaar; linked by prior reporting to XSLCmd and the GREF group.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.