ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > List all tools > List all groups using tool callCam

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: callCam

TypeReconnaissance, Backdoor, Info stealer, Exfiltration
Description(Trend Micro) The apps Camero and FileCrypt Manger act as droppers. After downloading the extra DEX file from the C&C server, the second-layer droppers invoke extra code to download, install, and launch the callCam app on the device.

The app callCam hides its icon on the device after being launched. It collects the following information and sends it back to the C&C server in the background:

• Location
• Battery status
• Files on device
• Installed app list
• Device information
• Sensor information
• Camera information
• Screenshot
• Account
• Wifi information
• Data of WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome

The app encrypts all stolen data using RSA and AES encryption algorithms. It uses SHA256 to verify data integrity and customize the encoding routine. When encrypting, it creates a block of data we named headData. This block contains the first 9 bytes of origin data, origin data length, random AES IV, the RSA-encrypted AES encrypt key, and the SHA256 value of AES-encrypted origin data. Then the headData is encoded through the customized routine. After the encoding, it is stored in the head of the final encrypted file followed by the data of the AES-encrypted original data.

Last change to this tool card: 29 April 2020

Download this tool card in JSON format

All groups using tool callCam


APT groups

XSideWinder, RattlesnakeIndia2012-May 2022 HOT 

1 group listed (1 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]