{
"type": "bundle",
"id": "bundle--0cde353c-ea5b-4668-9f68-971946609282",
"spec_version": "2.0",
"objects": [
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"external_id": "T1453",
"url": "https://attack.mitre.org/techniques/T1453"
},
{
"url": "https://www.skycure.com/blog/accessibility-clickjacking/",
"description": "Yair Amit. (2016, March 3). \u201cAccessibility Clickjacking\u201d \u2013 The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.",
"source_name": "Skycure-Accessibility"
},
{
"description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.",
"url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/",
"source_name": "android-trojan-steals-paypal-2fa"
},
{
"source_name": "banking-trojans-google-play",
"url": "https://www.welivesecurity.com/2018/10/24/banking-trojans-continue-surface-google-play/",
"description": "Luk\u00e1\u0161 \u0160tefanko. (2018, October 24). Banking Trojans continue to surface on Google Play. Retrieved July 11, 2019."
}
],
"description": "**This technique has been deprecated. Please use [Input Capture](https://attack.mitre.org/techniques/T1417), [Input Injection](https://attack.mitre.org/techniques/T1516), and [Input Prompt](https://attack.mitre.org/techniques/T1411) where appropriate.**\n\nA malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions.(Citation: Skycure-Accessibility)\n\nAdversaries may abuse accessibility features on Android to emulate a user's clicks, for example to steal money from a user's bank account.(Citation: android-trojan-steals-paypal-2fa)(Citation: banking-trojans-google-play)\n\nAdversaries may abuse accessibility features on Android devices to evade defenses by repeatedly clicking the \"Back\" button when a targeted app manager or mobile security app is launched, or when strings suggesting uninstallation are detected in the foreground. This effectively prevents the malicious application from being uninstalled.(Citation: android-trojan-steals-paypal-2fa)",
"name": "Abuse Accessibility Features",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "impact"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
}
],
"modified": "2020-03-30T14:03:43.761Z",
"created": "2017-10-25T14:48:08.613Z",
"x_mitre_is_subtechnique": false,
"x_mitre_deprecated": true,
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "2.0",
"x_mitre_old_attack_id": "MOB-T1056",
"x_mitre_contributors": [
"Luk\u00e1\u0161 \u0160tefanko, ESET"
]
},
{
"x_mitre_old_attack_id": "MOB-T1004",
"x_mitre_version": "1.1",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_detection": "The device user can view a list of apps with Device Administrator privilege in the device settings.",
"created": "2017-10-25T14:48:29.774Z",
"modified": "2019-02-03T16:56:41.200Z",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "persistence"
}
],
"type": "attack-pattern",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1401",
"external_id": "T1401"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-22"
}
],
"description": "A malicious application can request Device Administrator privileges. If the user grants the privileges, the application can take steps to make its removal more difficult.",
"name": "Abuse Device Administrator Access to Prevent Removal",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483"
},
{
"id": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
"name": "Abuse of iOS Enterprise App Signing Key",
"revoked": true,
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1445",
"external_id": "T1445"
}
],
"x_mitre_old_attack_id": "MOB-T1048",
"type": "attack-pattern",
"modified": "2018-10-17T01:05:10.701Z",
"created": "2017-10-25T14:48:16.288Z"
},
{
"id": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Access Calendar Entries",
"description": "An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1435",
"external_id": "T1435"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
"external_id": "APP-13"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access calendar information through the device settings screen, and the user can choose to revoke the permissions.",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.0",
"x_mitre_old_attack_id": "MOB-T1038",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:20.727Z"
},
{
"id": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Access Call Log",
"description": "On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.\n\nOn iOS, applications do not have access to the call log, so privilege escalation would be required in order to access the data.",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1433",
"external_id": "T1433"
},
{
"external_id": "APP-13",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
}
],
"modified": "2019-09-18T18:17:43.466Z",
"created": "2017-10-25T14:48:11.116Z",
"x_mitre_old_attack_id": "MOB-T1036",
"x_mitre_version": "1.1",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_detection": "On Android 6.0 and up, the user can view which applications have permission to access call log information through the device settings screen, and the user can choose to revoke the permissions."
},
{
"id": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Access Contact List",
"description": "An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1432",
"external_id": "T1432"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
"external_id": "APP-13"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access contact list information through the device settings screen, and the user can choose to revoke the permissions.",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.0",
"x_mitre_old_attack_id": "MOB-T1035",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:11.535Z"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1517",
"source_name": "mitre-mobile-attack",
"external_id": "T1517"
},
{
"description": "Luk\u00e1\u0161 \u0160tefanko. (2019, June 17). Malware sidesteps Google permissions policy with new 2FA bypass technique. Retrieved September 15, 2019.",
"url": "https://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/",
"source_name": "ESET 2FA Bypass"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Access Notifications",
"description": "A malicious application can read notifications sent by the operating system or other applications, which may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. A malicious application can also dismiss notifications to prevent the user from noticing that the notifications arrived and can trigger action buttons contained within notifications.(Citation: ESET 2FA Bypass)",
"id": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
}
],
"modified": "2020-07-09T14:07:02.217Z",
"created": "2019-09-15T15:26:08.183Z",
"x_mitre_is_subtechnique": false,
"x_mitre_contributors": [
"Luk\u00e1\u0161 \u0160tefanko, ESET"
],
"x_mitre_version": "1.0",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_detection": "The user can inspect (and modify) the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access).",
"x_mitre_platforms": [
"Android"
]
},
{
"id": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Access Sensitive Data in Device Logs",
"description": "On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1413",
"external_id": "T1413"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-3.html",
"external_id": "APP-3"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
"external_id": "APP-13"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.0",
"x_mitre_old_attack_id": "MOB-T1016",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:17.176Z"
},
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1409",
"external_id": "T1409"
},
{
"external_id": "AUT-0",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html"
},
{
"description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.",
"url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
"source_name": "SWB Exodus March 2019"
}
],
"description": "Adversaries may access and collect application data resident on the device. Adversaries often target popular applications such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019)\n\nThis technique requires either escalated privileges or for the targeted app to have stored the data in an insecure manner (e.g., with insecure file permissions or in an insecure location such as an external storage directory).",
"name": "Access Stored Application Data",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
}
],
"modified": "2019-10-10T14:17:48.920Z",
"created": "2017-10-25T14:48:15.402Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "2.0",
"x_mitre_old_attack_id": "MOB-T1012",
"x_mitre_detection": "Accessing stored application data can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior."
},
{
"created": "2017-10-25T14:48:27.307Z",
"modified": "2018-10-17T00:14:20.652Z",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "command-and-control"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "exfiltration"
}
],
"type": "attack-pattern",
"x_mitre_old_attack_id": "MOB-T1041",
"x_mitre_version": "1.0",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1438",
"external_id": "T1438"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html",
"external_id": "APP-30"
}
],
"description": "Adversaries can communicate using cellular networks rather than enterprise Wi-Fi in order to bypass enterprise network monitoring systems. Adversaries may also communicate using other non-Internet Protocol mediums such as SMS, NFC, or Bluetooth to bypass network monitoring systems.",
"name": "Alternate Network Mediums",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a"
},
{
"id": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2",
"name": "App Delivered via Email Attachment",
"revoked": true,
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1434",
"external_id": "T1434"
}
],
"x_mitre_old_attack_id": "MOB-T1037",
"type": "attack-pattern",
"modified": "2018-10-17T01:05:10.699Z",
"created": "2017-10-25T14:48:10.699Z"
},
{
"id": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2",
"name": "App Delivered via Web Download",
"revoked": true,
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1431",
"external_id": "T1431"
}
],
"x_mitre_old_attack_id": "MOB-T1034",
"type": "attack-pattern",
"modified": "2018-10-17T01:05:10.699Z",
"created": "2017-10-25T14:48:11.861Z"
},
{
"id": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Application Discovery",
"description": "Adversaries may seek to identify all applications installed on the device. One use case for doing so is to identify the presence of endpoint security applications that may increase the adversary's risk of detection. Another use case is to identify the presence of applications that the adversary may wish to target.\n\nOn Android, applications can use methods in the PackageManager class (Citation: Android-PackageManager) to enumerate other apps installed on device, or an entity with shell access can use the pm command line tool.\n\nOn iOS, apps can use private API calls to obtain a list of other apps installed on the device. (Citation: Kurtz-MaliciousiOSApps) However, use of private API calls will likely prevent the application from being distributed through Apple's App Store.",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1418",
"external_id": "T1418"
},
{
"source_name": "Android-PackageManager",
"description": "Android. (n.d.). PackageManager. Retrieved December 21, 2016.",
"url": "https://developer.android.com/reference/android/content/pm/PackageManager.html"
},
{
"source_name": "Kurtz-MaliciousiOSApps",
"description": "Andreas Kurtz. (2014, September 18). Malicious iOS Apps. Retrieved December 21, 2016.",
"url": "https://andreas-kurtz.de/2014/09/malicious-ios-apps/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.0",
"x_mitre_old_attack_id": "MOB-T1021",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "discovery"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:28.067Z"
},
{
"id": "attack-pattern--a0464539-e1b7-4455-a355-12495987c300",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Attack PC via USB Connection",
"description": "With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC(Citation: Wang-ExploitingUSB)(Citation: ArsTechnica-PoisonTap) This technique has been demonstrated on Android. We are unaware of any demonstrations on iOS.",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1427",
"external_id": "T1427"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "PHY-2"
},
{
"source_name": "Wang-ExploitingUSB",
"description": "Z. Wang and A. Stavrou. (2010, December 6-10). Exploiting smart-phone USB connectivity for fun and profit. Retrieved December 22, 2016.",
"url": "http://dl.acm.org/citation.cfm?id=1920314"
},
{
"source_name": "ArsTechnica-PoisonTap",
"description": "Dan Goodin. (2016, November 16). Meet PoisonTap, the $5 tool that ransacks password-protected computers. Retrieved December 22, 2016.",
"url": "http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "lateral-movement"
}
],
"modified": "2019-02-03T14:51:19.932Z",
"created": "2017-10-25T14:48:13.625Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-T1030"
},
{
"id": "attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09",
"name": "Biometric Spoofing",
"revoked": true,
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1460",
"external_id": "T1460"
}
],
"x_mitre_old_attack_id": "MOB-T1063",
"type": "attack-pattern",
"modified": "2018-10-17T01:05:10.703Z",
"created": "2017-10-25T14:48:24.069Z"
},
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"external_id": "T1402",
"url": "https://attack.mitre.org/techniques/T1402"
},
{
"source_name": "Android Changes to System Broadcasts",
"url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts",
"description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020."
}
],
"description": "An intent is a message passed between Android application or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received.\n\nFurther, malicious applications can register for intents broadcasted by other applications in addition to the Android system itself. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications.\n\nIn Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts)",
"name": "Broadcast Receivers",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "execution"
}
],
"modified": "2020-03-27T15:28:03.858Z",
"created": "2017-10-25T14:48:30.127Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "2.0",
"x_mitre_old_attack_id": "MOB-T1005",
"x_mitre_detection": "Broadcast intent receivers are part of standard OS-level APIs and are therefore typically undetectable to the end user.",
"x_mitre_contributors": [
"Alex Hinchliffe, Palo Alto Networks"
],
"x_mitre_is_subtechnique": false
},
{
"created": "2017-10-25T14:48:12.913Z",
"modified": "2019-09-20T17:59:11.041Z",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
}
],
"type": "attack-pattern",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1429",
"external_id": "T1429"
},
{
"external_id": "APP-19",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html"
}
],
"description": "Adversaries may capture audio to collect information on a user of a mobile device using standard operating system APIs. Adversaries may target audio information such as user conversations, surroundings, phone calls, or other sensitive information.\n\nAndroid and iOS, by default, requires that an application request access to microphone devices from the user. In Android, applications must hold the android.permission.RECORD_AUDIO permission to access the microphone and the android.permission.CAPTURE_AUDIO_OUTPUT permission to access audio output such as speakers. Android does not allow third-party applications to hold android.permission.CAPTURE_AUDIO_OUTPUT, so audio output can only be obtained by privileged applications (distributed by Google or the device vendor) or after a successful privilege escalation attack. In iOS, applications must include the `NSMicrophoneUsageDescription` key in their `Info.plist` file.",
"name": "Capture Audio",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to use the microphone through the device settings screen, and the user can choose to revoke the permissions.",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "2.0",
"x_mitre_old_attack_id": "MOB-T1032"
},
{
"created": "2019-08-09T16:14:58.254Z",
"modified": "2019-09-12T18:33:15.023Z",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
}
],
"type": "attack-pattern",
"id": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
"description": "Adversaries may utilize the camera to capture information about the user, their surroundings, or other physical identifiers. Adversaries may use the physical camera devices on a mobile device to capture images or video. By default, in Android and iOS, an application must request permission to access a camera device which is granted by the user through a request prompt. In Android, applications must hold the `android.permission.CAMERA` permission to access the camera. In iOS, applications must include the `NSCameraUsageDescription` key in the `Info.plist` file, and must request access to the camera at runtime.",
"name": "Capture Camera",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"external_id": "T1512",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1512"
},
{
"external_id": "APP-19",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html"
}
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.0",
"x_mitre_detection": "On Android and iOS, the user can view which applications have permission to use the camera through the device settings screen, and the user can choose to revoke the permissions."
},
{
"id": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Capture Clipboard Data",
"description": "Adversaries may abuse Clipboard Manager APIs to obtain sensitive information copied to the global clipboard. For example, passwords being copy-and-pasted from a password manager app could be captured by another application installed on the device.(Citation: Fahl-Clipboard)\n\nOn Android, ClipboardManager.OnPrimaryClipChangedListener can be used by applications to register as a listener and monitor the clipboard for changes.(Citation: Github Capture Clipboard 2019)\n\nAndroid 10 mitigates this technique by preventing applications from accessing clipboard data unless the application is on the foreground or is set as the device\u2019s default input method editor (IME).(Citation: Android 10 Privacy Changes)",
"external_references": [
{
"external_id": "T1414",
"url": "https://attack.mitre.org/techniques/T1414",
"source_name": "mitre-mobile-attack"
},
{
"external_id": "APP-35",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-35.html"
},
{
"source_name": "Fahl-Clipboard",
"url": "http://saschafahl.de/static/paper/pwmanagers2013.pdf",
"description": "Fahl, S, et al.. (2013). Hey, You, Get Off of My Clipboard. Retrieved August 27, 2019."
},
{
"source_name": "Github Capture Clipboard 2019",
"url": "https://github.com/grepx/android-clipboard-security",
"description": "Pearce, G. (, January). Retrieved August 8, 2019."
},
{
"source_name": "Android 10 Privacy Changes",
"url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data",
"description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"phase_name": "collection",
"kill_chain_name": "mitre-mobile-attack"
},
{
"phase_name": "credential-access",
"kill_chain_name": "mitre-mobile-attack"
}
],
"modified": "2019-09-13T20:46:26.223Z",
"created": "2017-10-25T14:48:19.996Z",
"x_mitre_detection": "Capturing clipboard content can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
"x_mitre_old_attack_id": "MOB-T1017",
"x_mitre_version": "2.0",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android",
"iOS"
]
},
{
"id": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Capture SMS Messages",
"description": "A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.\n\nOn Android, a malicious application must request and obtain permission (either at app install time or run time) in order to receive SMS messages. Alternatively, a malicious application could attempt to perform an operating system privilege escalation attack to bypass the permission requirement.\n\nOn iOS, applications cannot access SMS messages in normal operation, so an adversary would need to attempt to perform an operating system privilege escalation attack to potentially be able to access SMS messages.",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1412",
"external_id": "T1412"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
}
],
"modified": "2019-09-18T18:28:50.898Z",
"created": "2017-10-25T14:48:15.920Z",
"x_mitre_detection": "On Android, the user can view which applications have permission to access SMS messages through the device settings, and the user can choose to revoke the permission.",
"x_mitre_old_attack_id": "MOB-T1015",
"x_mitre_version": "1.1",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android",
"iOS"
]
},
{
"id": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Carrier Billing Fraud",
"description": "A malicious app may trigger fraudulent charges on a victim\u2019s carrier billing statement in several different ways, including SMS toll fraud and SMS shortcodes that make purchases.\n\nPerforming SMS fraud relies heavily upon the fact that, when making SMS purchases, the carriers perform device verification but not user verification. This allows adversaries to make purchases on behalf of the user, with little or no user interaction.(Citation: Google Bread)\n\nMalicious applications may also perform toll billing, which occurs when carriers provide payment endpoints over a web page. The application connects to the web page over cellular data so the carrier can directly verify the number, or the application must retrieve a code sent via SMS and enter it into the web page.(Citation: Google Bread)\n\nOn iOS, apps cannot send SMS messages.\n\nOn Android, apps must hold the `SEND_SMS` permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"external_id": "T1448",
"url": "https://attack.mitre.org/techniques/T1448"
},
{
"source_name": "Google Bread",
"url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html",
"description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."
},
{
"url": "https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2014_Report_Final.pdf",
"description": "Google. (2014). Android Security 2014 Year in Review. Retrieved December 12, 2016.",
"source_name": "AndroidSecurity2014"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "impact"
}
],
"modified": "2020-05-04T15:40:20.943Z",
"created": "2017-10-25T14:48:09.082Z",
"x_mitre_is_subtechnique": false,
"x_mitre_old_attack_id": "MOB-T1051",
"x_mitre_version": "2.0",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_detection": "Starting with Android 4.2 the user is prompted and must provide consent before applications can send SMS messages to premium numbers.(Citation: AndroidSecurity2014)\n\nOn Android 6.0 and up, the user can view which applications have permission to send SMS messages through the device settings screen, and the user can choose to revoke the permissions."
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1510",
"source_name": "mitre-mobile-attack",
"external_id": "T1510"
},
{
"description": "ESET. (2019, February 11). First clipper malware discovered on Google Play.. Retrieved July 26, 2019.",
"url": "https://www.eset.com/uk/about/newsroom/press-releases/first-clipper-malware-discovered-on-google-play-1/",
"source_name": "ESET Clipboard Modification February 2019"
},
{
"description": "Luk\u00e1\u0161 \u0160tefanko. (2019, February 8). First clipper malware discovered on Google Play. Retrieved July 26, 2019.",
"url": "https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/",
"source_name": "Welivesecurity Clipboard Modification February 2019"
},
{
"description": "Zhang, X; Du, W. (2014, January). Attacks on Android Clipboard. Retrieved July 26, 2019.",
"url": "http://www.cis.syr.edu/~wedu/Research/paper/clipboard_attack_dimva2014.pdf",
"source_name": "Syracuse Clipboard Modification 2014"
},
{
"source_name": "Dr.Webb Clipboard Modification origin2 August 2018",
"url": "https://vms.drweb.com/virus/?i=17517761",
"description": "Dr.Webb. (2018, August 8). Android.Clipper.2.origin. Retrieved July 26, 2019."
},
{
"description": "Dr.Webb. (2018, August 8). Android.Clipper.1.origin. Retrieved July 26, 2019.",
"url": "https://vms.drweb.com/virus/?i=17517750",
"source_name": "Dr.Webb Clipboard Modification origin August 2018"
},
{
"description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019.",
"url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data",
"source_name": "Android 10 Privacy Changes"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Clipboard Modification",
"description": "Adversaries may abuse clipboard functionality to intercept and replace information in the Android device clipboard.(Citation: ESET Clipboard Modification February 2019)(Citation: Welivesecurity Clipboard Modification February 2019)(Citation: Syracuse Clipboard Modification 2014) Malicious applications may monitor the clipboard activity through the ClipboardManager.OnPrimaryClipChangedListener interface on Android to determine when the clipboard contents have changed.(Citation: Dr.Webb Clipboard Modification origin2 August 2018)(Citation: Dr.Webb Clipboard Modification origin August 2018) Listening to clipboard activity, reading the clipboard contents, and modifying the clipboard contents requires no explicit application permissions and can be performed by applications running in the background, however, this behavior has changed with the release of Android 10.(Citation: Android 10 Privacy Changes)\n\nAdversaries may use [Clipboard Modification](https://attack.mitre.org/techniques/T1510) to replace text prior to being pasted, for example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.\n\n[Clipboard Modification](https://attack.mitre.org/techniques/T1510) had been seen within the Android/Clipper.C trojan. This sample had been detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)",
"id": "attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "impact"
}
],
"modified": "2019-10-28T18:36:26.261Z",
"created": "2019-07-26T14:15:31.451Z",
"x_mitre_detection": "Modifying clipboard content can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
"x_mitre_version": "1.0",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android"
]
},
{
"created": "2019-10-30T15:37:55.029Z",
"modified": "2020-03-29T04:07:06.663Z",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "privilege-escalation"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
}
],
"type": "attack-pattern",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"external_id": "T1540",
"url": "https://attack.mitre.org/techniques/T1540"
},
{
"source_name": "Shunix Code Injection Mar 2016",
"url": "https://shunix.com/shared-library-injection-in-android/",
"description": "Shunix . (2016, March 22). Shared Library Injection in Android. Retrieved October 30, 2019."
},
{
"source_name": "Fadeev Code Injection Aug 2018",
"url": "https://fadeevab.com/shared-library-injection-on-android-8/",
"description": "Alexandr Fadeev. (2018, August 26). Shared Library Injection on Android 8.0. Retrieved October 30, 2019."
},
{
"source_name": "Google Triada June 2019",
"url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html",
"description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Code Injection",
"description": "Adversaries may use code injection attacks to implant arbitrary code into the address space of a running application. Code is then executed or interpreted by that application. Adversaries utilizing this technique may exploit capabilities to load code in at runtime through dynamic libraries.\n\nWith root access, `ptrace` can be used to target specific applications and load shared libraries into its process memory.(Citation: Shunix Code Injection Mar 2016)(Citation: Fadeev Code Injection Aug 2018) By injecting code, an adversary may be able to gain access to higher permissions held by the targeted application by executing as the targeted application. In addition, the adversary may be able to evade detection or enable persistent access to a system under the guise of the application\u2019s process.(Citation: Google Triada June 2019)\n",
"id": "attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa",
"x_mitre_detection": "Code injection can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
"x_mitre_is_subtechnique": false,
"x_mitre_version": "1.0",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android",
"iOS"
]
},
{
"id": "attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Commonly Used Port",
"description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. \n\nThey may use commonly open ports such as\n\n* TCP:80 (HTTP)\n* TCP:443 (HTTPS)\n* TCP:25 (SMTP)\n* TCP/UDP:53 (DNS)\n\nThey may use the protocol associated with the port or a completely different protocol.",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1436",
"external_id": "T1436"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "command-and-control"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "exfiltration"
}
],
"modified": "2019-06-19T19:25:33.180Z",
"created": "2017-10-25T14:48:16.650Z",
"x_mitre_old_attack_id": "MOB-T1039",
"x_mitre_version": "1.0",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android",
"iOS"
]
},
{
"external_references": [
{
"source_name": "mitre-mobile-attack",
"external_id": "T1577",
"url": "https://attack.mitre.org/techniques/T1577"
},
{
"source_name": "Guardsquare Janus",
"url": "https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures",
"description": "Guarsquare. (2017, November 13). New Android vulnerability allows attackers to modify apps without affecting their signatures. Retrieved May 7, 2020."
},
{
"source_name": "CheckPoint Agent Smith",
"url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/",
"description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Compromise Application Executable",
"description": "Adversaries may modify applications installed on a device to establish persistent access to a victim. These malicious modifications can be used to make legitimate applications carry out adversary tasks when these applications are in use.\n\nThere are multiple ways an adversary can inject malicious code into applications. One method is by taking advantages of device vulnerabilities, the most well-known being Janus, an Android vulnerability that allows adversaries to add extra bytes to APK (application) and DEX (executable) files without affecting the file's signature. By being able to add arbitrary bytes to valid applications, attackers can seamlessly inject code into genuine executables without the user's knowledge.(Citation: Guardsquare Janus)\n\nAdversaries may also rebuild applications to include malicious modifications. This can be achieved by decompiling the genuine application, merging it with the malicious code, and recompiling it.(Citation: CheckPoint Agent Smith)\n\nAdversaries may also take action to conceal modifications to application executables and bypass user consent. These actions include altering modifications to appear as an update or exploiting vulnerabilities that allow activities of the malicious application to run inside a system application.(Citation: CheckPoint Agent Smith)",
"id": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "persistence"
}
],
"modified": "2020-05-27T13:23:34.159Z",
"created": "2020-05-07T15:24:49.068Z",
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false,
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_detection": "This behavior is seamless to the user and is typically undetectable.",
"x_mitre_platforms": [
"Android"
]
},
{
"external_references": [
{
"external_id": "T1532",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1532"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Data Encrypted",
"description": "Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file formats that can encrypt files are RAR and zip.",
"id": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "exfiltration"
}
],
"modified": "2019-10-10T15:00:44.181Z",
"created": "2019-10-10T15:00:44.181Z",
"x_mitre_version": "1.0",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_detection": "Many encryption mechanisms are built into standard application-accessible APIs, and are therefore undetectable to the end user.",
"x_mitre_platforms": [
"Android",
"iOS"
]
},
{
"id": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Data Encrypted for Impact",
"description": "An adversary may encrypt files stored on the mobile device to prevent the user from accessing them, for example with the intent of only unlocking access to the files after a ransom is paid. Without escalated privileges, the adversary is generally limited to only encrypting files in external/shared storage locations. This technique has been demonstrated on Android. We are unaware of any demonstrated use on iOS.",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1471",
"external_id": "T1471"
},
{
"external_id": "APP-28",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "impact"
}
],
"modified": "2019-10-01T13:51:22.001Z",
"created": "2017-10-25T14:48:10.285Z",
"x_mitre_old_attack_id": "MOB-T1074",
"x_mitre_version": "3.0",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android"
]
},
{
"external_references": [
{
"external_id": "T1533",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1533"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Data from Local System",
"description": "Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system.\n\nLocal system data includes information stored by the operating system. Access to local system data often requires escalated privileges (e.g. root access). Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos.",
"id": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
}
],
"modified": "2019-10-11T14:53:38.987Z",
"created": "2019-10-10T15:12:42.790Z",
"x_mitre_version": "1.0",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_detection": "Accessing data from the local system can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
"x_mitre_platforms": [
"Android",
"iOS"
]
},
{
"id": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Delete Device Data",
"description": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. (Citation: Android DevicePolicyManager 2019)\n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1447",
"external_id": "T1447"
},
{
"source_name": "Android DevicePolicyManager 2019",
"url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html",
"description": "Android Developers. (n.d.). DevicePolicyManager. Retrieved September 22, 2019."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "impact"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
}
],
"modified": "2020-10-01T12:52:58.150Z",
"created": "2017-10-25T14:48:31.694Z",
"x_mitre_is_subtechnique": false,
"x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing.",
"x_mitre_old_attack_id": "MOB-T1050",
"x_mitre_version": "2.1",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android"
]
},
{
"id": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Deliver Malicious App via Authorized App Store",
"description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.\n\nApp stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses:\n\n* [Download New Code at Runtime](https://attack.mitre.org/techniques/T1407)\n* [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1406)\n\nAdversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. (Citation: Petsas) (Citation: Oberheide-Bouncer) (Citation: Percoco-Bouncer) (Citation: Wang)\n\nAdversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. (Citation: Oberheide-Bouncer)\n\nAdversaries may also use control of a target's Google account to use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account. (Citation: Oberheide-RemoteInstall) (Citation: Konoth) (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1475",
"external_id": "T1475"
},
{
"external_id": "ECO-4",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-4.html"
},
{
"external_id": "ECO-16",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.html"
},
{
"external_id": "ECO-17",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-17.html"
},
{
"external_id": "APP-20",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html"
},
{
"external_id": "APP-21",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html"
},
{
"external_id": "ECO-22",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-22.html"
},
{
"url": "http://dl.acm.org/citation.cfm?id=2592796",
"description": "Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, Sotiris Ioannidis. (2014, April). Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware. Retrieved December 12, 2016.",
"source_name": "Petsas"
},
{
"url": "https://jon.oberheide.org/files/summercon12-bouncer.pdf",
"description": "Jon Oberheide and Charlie Miller. (2012). Dissecting the Android Bouncer. Retrieved December 12, 2016.",
"source_name": "Oberheide-Bouncer"
},
{
"url": "https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH_US_12_Percoco_Adventures_in_Bouncerland_WP.pdf",
"description": "Nicholas J. Percoco and Sean Schulte. (2012). Adventures in BouncerLand. Retrieved December 12, 2016.",
"source_name": "Percoco-Bouncer"
},
{
"url": "https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei",
"description": "Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013, August). Jekyll on iOS: When Benign Apps Become Evil. Retrieved December 9, 2016.",
"source_name": "Wang"
},
{
"url": "https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/",
"description": "Jon Oberheide. (2010, June 25). Remote Kill and Install on Google Android. Retrieved December 12, 2016.",
"source_name": "Oberheide-RemoteInstall"
},
{
"url": "http://www.vvdveen.com/publications/BAndroid.pdf",
"description": "Radhesh Krishnan Konoth, Victor van der Veen, and Herbert Bos. (n.d.). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Retrieved December 12, 2016.",
"source_name": "Konoth"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "initial-access"
}
],
"modified": "2019-10-14T17:42:49.817Z",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_old_attack_id": "MOB-T1078",
"x_mitre_version": "1.1",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_detection": "* An EMM/MDM or mobile threat defense solution can identify the presence of unwanted or known insecure or malicious apps on devices.\n* Developers can scan (or have a third party scan on their behalf) the app stores for presence of unauthorized apps that were submitted using the developer's identity."
},
{
"created": "2018-10-17T00:14:20.652Z",
"modified": "2019-10-28T18:33:12.646Z",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "initial-access"
}
],
"type": "attack-pattern",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"external_id": "T1476",
"url": "https://attack.mitre.org/techniques/T1476",
"source_name": "mitre-mobile-attack"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "AUT-9"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "ECO-13"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "ECO-21"
},
{
"description": "A Prasad. (2016, February 19). Danger lurks in third-party Android app stores. Retrieved November 8, 2018.",
"url": "https://www.ibtimes.co.uk/danger-lurks-third-party-android-app-stores-1544861",
"source_name": "IBTimes-ThirdParty"
},
{
"description": "Jordan Pan. (2016, February 10). User Beware: Rooting Malware Found in 3rd Party App Stores. Retrieved November 8, 2018.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/",
"source_name": "TrendMicro-RootingMalware"
},
{
"description": "Veo Zhang. (2014, February 18). Flappy Bird and Third-Party App Stores. Retrieved November 8, 2018.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/flappy-bird-and-third-party-app-stores/",
"source_name": "TrendMicro-FlappyBird"
},
{
"description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.",
"url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/",
"source_name": "android-trojan-steals-paypal-2fa"
}
],
"description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.\n\nDelivery methods for the malicious application include:\n\n* [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) - Including the mobile app package as an attachment to an email message.\n* [Spearphishing Link](https://attack.mitre.org/techniques/T1192) - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.\n* Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.(Citation: IBTimes-ThirdParty)(Citation: TrendMicro-RootingMalware)(Citation: TrendMicro-FlappyBird)\n\nSome Android malware comes with functionality to install additional applications, either automatically or when the adversary instructs it to.(Citation: android-trojan-steals-paypal-2fa)",
"name": "Deliver Malicious App via Other Means",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"x_mitre_detection": "* An EMM/MDM or mobile threat defense solution may be able to identify the presence of apps installed from sources other than an authorized app store. \n* An EMM/MDM or mobile threat defense solution may be able to identify Android devices configured to allow apps to be installed from \"Unknown Sources\".\n* Enterprise email security solutions can identify the presence of Android or iOS application packages within email messages.",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.2",
"x_mitre_old_attack_id": "MOB-T1079"
},
{
"id": "attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b",
"name": "Detect App Analysis Environment",
"revoked": true,
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1440",
"external_id": "T1440"
}
],
"x_mitre_old_attack_id": "MOB-T1043",
"type": "attack-pattern",
"modified": "2018-10-17T01:05:10.700Z",
"created": "2017-10-25T14:48:26.473Z"
},
{
"created": "2017-10-25T14:48:17.886Z",
"modified": "2019-10-09T14:39:38.930Z",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "impact"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
}
],
"type": "attack-pattern",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1446",
"external_id": "T1446"
},
{
"external_id": "APP-28",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html"
},
{
"source_name": "Android resetPassword",
"url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String,%20int)",
"description": "Google. (n.d.). DevicePolicyManager. Retrieved October 1, 2019."
},
{
"url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/",
"description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.",
"source_name": "Xiao-KeyRaider"
}
],
"description": "An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to prevent the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device\u2019s passcode.(Citation: Android resetPassword)\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)",
"name": "Device Lockout",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "2.0",
"x_mitre_old_attack_id": "MOB-T1049",
"x_mitre_detection": "On Android, users can review which applications have device administrator access in the device settings, and revoke permission where appropriate."
},
{
"created": "2017-10-25T14:48:28.456Z",
"modified": "2019-10-16T13:24:48.936Z",
"type": "attack-pattern",
"revoked": true,
"id": "attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05",
"name": "Device Type Discovery",
"external_references": [
{
"external_id": "T1419",
"url": "https://attack.mitre.org/techniques/T1419",
"source_name": "mitre-mobile-attack"
},
{
"url": "https://developer.android.com/reference/android/os/Build",
"description": "Android. (n.d.). Build. Retrieved December 21, 2016.",
"source_name": "Android-Build"
}
],
"x_mitre_old_attack_id": "MOB-T1022"
},
{
"id": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a",
"name": "Device Unlock Code Guessing or Brute Force",
"revoked": true,
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1459",
"external_id": "T1459"
}
],
"x_mitre_old_attack_id": "MOB-T1062",
"type": "attack-pattern",
"modified": "2018-10-17T01:05:10.703Z",
"created": "2017-10-25T14:48:23.652Z"
},
{
"id": "attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Disguise Root/Jailbreak Indicators",
"description": "An adversary could use knowledge of the techniques used by security software to evade detection(Citation: Brodie)(Citation: Tan). For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection(Citation: Rastogi).",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1408",
"external_id": "T1408"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "EMM-5"
},
{
"source_name": "Brodie",
"description": "Daniel Brodie. (2016). Practical Attacks against Mobile Device Management (MDM). Retrieved December 21, 2016.",
"url": "https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf"
},
{
"source_name": "Tan",
"description": "Vincent Tan. (2016, August). BAD FOR ENTERPRISE: ATTACKING BYOD ENTERPRISE MOBILE SECURITY SOLUTIONS. Retrieved February 4, 2017.",
"url": "http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions"
},
{
"source_name": "Rastogi",
"description": "Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016.",
"url": "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
}
],
"modified": "2019-02-03T14:34:59.071Z",
"created": "2017-10-25T14:48:14.003Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-T1011"
},
{
"external_references": [
{
"external_id": "T1520",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1520"
},
{
"source_name": "securelist rotexy 2018",
"url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
"description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019."
},
{
"source_name": "Data Driven Security DGA",
"url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/",
"description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Domain Generation Algorithms",
"description": "Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1520) (DGAs) to procedurally generate domain names for command and control communication, and other uses such as malicious application distribution.(Citation: securelist rotexy 2018)\n\nDGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.",
"id": "attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "command-and-control"
}
],
"modified": "2019-09-23T14:53:42.654Z",
"created": "2019-09-23T13:11:43.694Z",
"x_mitre_version": "1.0",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.",
"x_mitre_platforms": [
"Android",
"iOS"
]
},
{
"id": "attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Downgrade to Insecure Protocols",
"description": "An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate(Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1466",
"external_id": "T1466"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "CEL-3"
},
{
"source_name": "NIST-SP800187",
"description": "Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017.",
"url": "http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "network-effects"
}
],
"modified": "2019-02-03T15:16:13.386Z",
"created": "2017-10-25T14:48:21.667Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-T1069"
},
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1407",
"external_id": "T1407"
},
{
"external_id": "APP-20",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html"
},
{
"url": "https://www.internetsociety.org/sites/default/files/10_5_0.pdf",
"description": "Sebastian Poeplau, Yanick Fratantonio, Antonio Bianchi, Christopher Kruegel, Giovanni Vigna. (2014, February). Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications. Retrieved December 21, 2016.",
"source_name": "Poeplau-ExecuteThis"
},
{
"url": "https://labs.bromium.com/2014/07/31/remote-code-execution-on-android-devices/",
"description": "Tom Sutcliffe. (2014, July 31). Remote code execution on Android devices. Retrieved December 9, 2016.",
"source_name": "Bromium-AndroidRCE"
},
{
"url": "https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html",
"description": "Jing Xie, Zhaofeng Chen, Jimmy Su. (2016, January 27). HOT OR NOT? THE BENEFITS AND RISKS OF IOS REMOTE HOT PATCHING. Retrieved December 9, 2016.",
"source_name": "FireEye-JSPatch"
},
{
"url": "https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei",
"description": "Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013, August). Jekyll on iOS: When Benign Apps Become Evil. Retrieved December 9, 2016.",
"source_name": "Wang"
}
],
"description": "An app could download and execute dynamic code (not included in the original application package) after installation to evade static analysis techniques (and potentially dynamic analysis techniques) used for application vetting or application store review.(Citation: Poeplau-ExecuteThis)\n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that uses the Android WebView's JavascriptInterface capability.(Citation: Bromium-AndroidRCE)\n\nOn iOS, techniques also exist for executing dynamic code downloaded after application installation.(Citation: FireEye-JSPatch)(Citation: Wang)",
"name": "Download New Code at Runtime",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
}
],
"modified": "2019-10-09T19:40:52.090Z",
"created": "2017-10-25T14:48:14.460Z",
"x_mitre_detection": "Downloading new code at runtime can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversary behavior.",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.2",
"x_mitre_old_attack_id": "MOB-T1010"
},
{
"id": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Drive-by Compromise",
"description": "As described by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), a drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation. For example, a website may contain malicious media content intended to exploit vulnerabilities in media parsers as demonstrated by the Android Stagefright vulnerability (Citation: Zimperium-Stagefright).\n\n(This technique was formerly known as Malicious Web Content. It has been renamed to better align with ATT&CK for Enterprise.)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1456",
"external_id": "T1456"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html",
"external_id": "CEL-22"
},
{
"source_name": "Zimperium-Stagefright",
"description": "Zimperium. (2015, January 27). Experts Found a Unicorn in the Heart of Android. Retrieved December 23, 2016.",
"url": "https://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.0",
"x_mitre_old_attack_id": "MOB-T1059",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "initial-access"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:06.822Z"
},
{
"id": "attack-pattern--393e8c12-a416-4575-ba90-19cc85656796",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Eavesdrop on Insecure Network Communication",
"description": "If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication.(Citation: mHealth)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1439",
"external_id": "T1439"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-0"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-1"
},
{
"source_name": "mHealth",
"description": "D. He et al.. (2014). Security Concerns in Android mHealth Apps. Retrieved December 24, 2016.",
"url": "https://experts.illinois.edu/en/publications/security-concerns-in-android-mhealth-apps"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "network-effects"
}
],
"modified": "2019-02-03T14:54:29.631Z",
"created": "2017-10-25T14:48:26.104Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-T1042"
},
{
"external_references": [
{
"external_id": "T1523",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1523"
},
{
"description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
"url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
"source_name": "Talos Gustuff Apr 2019"
},
{
"source_name": "ThreatFabric Cerberus",
"url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
"description": "ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019."
},
{
"url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/",
"description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.",
"source_name": "Xiao-ZergHelper"
},
{
"source_name": "Cyberscoop Evade Analysis January 2019",
"url": "https://www.cyberscoop.com/android-malware-motion-detection-trend-micro/",
"description": "Jeff Stone. (2019, January 18). Sneaky motion-detection feature found on Android malware. Retrieved October 2, 2019."
},
{
"source_name": "Github Anti-emulator",
"url": "https://github.com/strazzere/anti-emulator",
"description": "Tim Strazzere. (n.d.). Android Anti-Emulator. Retrieved October 2, 2019."
},
{
"source_name": "Sophos Anti-emulation",
"url": "https://news.sophos.com/en-us/2017/04/13/android-malware-anti-emulation-techniques/",
"description": "Chen Yu et al. . (2017, April 13). Android malware anti-emulation techniques. Retrieved October 2, 2019."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Evade Analysis Environment",
"description": "Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. \nAdversaries may use many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments.(Citation: Talos Gustuff Apr 2019)(Citation: ThreatFabric Cerberus)(Citation: Xiao-ZergHelper)(Citation: Cyberscoop Evade Analysis January 2019) Adversaries may access `android.os.SystemProperties` via Java reflection to obtain specific system information.(Citation: Github Anti-emulator) Standard values such as phone number, IMEI, IMSI, device IDs, and device drivers may be checked against default signatures of common sandboxes.(Citation: Sophos Anti-emulation)\n",
"id": "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "discovery"
}
],
"modified": "2019-10-11T14:48:50.525Z",
"created": "2019-10-02T14:46:43.632Z",
"x_mitre_version": "1.0",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_detection": "Analysis Environment avoidance capabilities can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
"x_mitre_platforms": [
"Android",
"iOS"
]
},
{
"id": "attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f",
"name": "Exploit Baseband Vulnerability",
"revoked": true,
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1455",
"external_id": "T1455"
}
],
"x_mitre_old_attack_id": "MOB-T1058",
"type": "attack-pattern",
"modified": "2018-10-17T01:05:10.702Z",
"created": "2017-10-25T14:48:07.149Z"
},
{
"id": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Exploit Enterprise Resources",
"description": "Adversaries may attempt to exploit enterprise servers, workstations, or other resources over the network. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1428",
"external_id": "T1428"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-32.html",
"external_id": "APP-32"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.0",
"x_mitre_old_attack_id": "MOB-T1031",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "lateral-movement"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:13.259Z"
},
{
"created": "2017-10-25T14:48:29.405Z",
"modified": "2018-10-17T00:14:20.652Z",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "privilege-escalation"
}
],
"type": "attack-pattern",
"x_mitre_old_attack_id": "MOB-T1007",
"x_mitre_version": "1.0",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1404",
"external_id": "T1404"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html",
"external_id": "APP-26"
}
],
"description": "A malicious app can exploit unpatched vulnerabilities in the operating system to obtain escalated privileges.",
"name": "Exploit OS Vulnerability",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172"
},
{
"id": "attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"description": "An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker's control. The adversary could then act as a man-in-the-middle to intercept or manipulate the communication. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport) Interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication(Citation: TheRegister-SS7).",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1449",
"external_id": "T1449"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-37.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "CEL-37"
},
{
"source_name": "Engel-SS7",
"description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016.",
"url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf"
},
{
"source_name": "Engel-SS7-2008",
"description": "Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016.",
"url": "https://www.youtube.com/watch?v=q0n5ySqbfdI"
},
{
"source_name": "3GPP-Security",
"description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016.",
"url": "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf"
},
{
"source_name": "Positive-SS7",
"description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016.",
"url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf"
},
{
"source_name": "CSRIC5-WG10-FinalReport",
"description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.",
"url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
},
{
"description": "Iain Thomson. (2017, May 3). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts. Retrieved November 8, 2018.",
"url": "https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/",
"source_name": "TheRegister-SS7"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "network-effects"
}
],
"modified": "2019-02-03T16:28:52.821Z",
"created": "2017-10-25T14:48:06.524Z",
"x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation as described by the Communications, Security, Reliability, and Interoperability Council (CSRIC). (Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-T1052"
},
{
"id": "attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Exploit SS7 to Track Device Location",
"description": "An adversary could exploit signaling system vulnerabilities to track the location of mobile devices. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1450",
"external_id": "T1450"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "CEL-38"
},
{
"source_name": "Engel-SS7",
"description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016.",
"url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf"
},
{
"source_name": "Engel-SS7-2008",
"description": "Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016.",
"url": "https://www.youtube.com/watch?v=q0n5ySqbfdI"
},
{
"source_name": "3GPP-Security",
"description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016.",
"url": "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf"
},
{
"source_name": "Positive-SS7",
"description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016.",
"url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf"
},
{
"source_name": "CSRIC5-WG10-FinalReport",
"description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.",
"url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
},
{
"source_name": "CSRIC-WG1-FinalReport",
"description": "CSRIC-WG1-FinalReport"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "network-effects"
}
],
"modified": "2019-02-03T15:06:10.014Z",
"created": "2017-10-25T14:48:09.864Z",
"x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC-WG1-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-T1053"
},
{
"id": "attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Exploit TEE Vulnerability",
"description": "A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone). The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data (Citation: QualcommKeyMaster). Escalated operating system privileges may be first required in order to have the ability to attack the TEE (Citation: EkbergTEE). If not, privileges within the TEE can potentially be used to exploit the operating system (Citation: laginimaineb-TEE).",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1405",
"external_id": "T1405"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html",
"external_id": "APP-27"
},
{
"source_name": "Thomas-TrustZone",
"description": "Josh Thomas and Charles Holmes. (2015, September). An infestation of dragons: Exploring vulnerabilities in the ARM TrustZone architecture. Retrieved December 9, 2016.",
"url": "https://usmile.at/symposium/program/2015/thomas-holmes"
},
{
"source_name": "QualcommKeyMaster",
"description": "laginimaineb. (2016, June). Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption. Retrieved December 9, 2016.",
"url": "https://bits-please.blogspot.in/2016/06/extracting-qualcomms-keymaster-keys.html"
},
{
"source_name": "EkbergTEE",
"description": "Jan-Erik Ekberg. (2015, September 10). Android and trusted execution environments. Retrieved December 9, 2016.",
"url": "https://usmile.at/symposium/program/2015/ekberg"
},
{
"source_name": "laginimaineb-TEE",
"description": "laginimaineb. (2016, May). War of the Worlds - Hijacking the Linux Kernel from QSEE. Retrieved December 21, 2016.",
"url": "http://bits-please.blogspot.co.il/2016/05/war-of-worlds-hijacking-linux-kernel.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.0",
"x_mitre_old_attack_id": "MOB-T1008",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "privilege-escalation"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:22.716Z"
},
{
"id": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Exploit via Charging Station or PC",
"description": "If the mobile device is connected (typically via USB) to a charging station or a PC, for example to charge the device's battery, then a compromised or malicious charging station or PC could attempt to exploit the mobile device via the connection(Citation: Krebs-JuiceJacking).\n\nPrevious demonstrations have included:\n\n* Injecting malicious applications into iOS devices(Citation: Lau-Mactans).\n* Exploiting a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location(Citation: IBM-NexusUSB).\n* Exploiting Android devices such as the Google Pixel 2 over USB(Citation: GoogleProjectZero-OATmeal).\n\nProducts from Cellebrite and Grayshift purportedly can use physical access to the data port to unlock the passcode on some iOS devices(Citation: Computerworld-iPhoneCracking).",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1458",
"external_id": "T1458"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "PHY-1"
},
{
"source_name": "Krebs-JuiceJacking",
"description": "Brian Krebs. (2011, August 17). Beware of Juice-Jacking. Retrieved December 23, 2016.",
"url": "http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/"
},
{
"source_name": "Lau-Mactans",
"description": "Lau et al.. (2013). Mactans: Injecting Malware Into iOS Devices Via Malicious Chargers. Retrieved December 23, 2016.",
"url": "https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf"
},
{
"source_name": "IBM-NexusUSB",
"description": "Roee Hay. (2017, January 5). Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes. Retrieved January 11, 2017.",
"url": "https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/"
},
{
"source_name": "GoogleProjectZero-OATmeal",
"description": "Jann Horn. (2018, September 10). OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB. Retrieved September 18, 2018.",
"url": "https://googleprojectzero.blogspot.com/2018/09/oatmeal-on-universal-cereal-bus.html"
},
{
"source_name": "Computerworld-iPhoneCracking",
"description": "Lucas Mearian. (2018, May 9). Two vendors now sell iPhone cracking technology \u2013 and police are buying. Retrieved September 21, 2018.",
"url": "https://www.computerworld.com/article/3268729/apple-ios/two-vendors-now-sell-iphone-cracking-technology-and-police-are-buying.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "initial-access"
}
],
"modified": "2019-02-03T15:10:41.460Z",
"created": "2017-10-25T14:48:23.233Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-T1061"
},
{
"id": "attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Exploit via Radio Interfaces",
"description": "The mobile device may be targeted for exploitation through its interface to cellular networks or other radio interfaces.\n\n### Baseband Vulnerability Exploitation\n\nA message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi(Citation: ProjectZero-BroadcomWiFi) or other) to the mobile device could exploit a vulnerability in code running on the device(Citation: Register-BaseStation)(Citation: Weinmann-Baseband).\n\n### Malicious SMS Message\n\nAn SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device(Citation: Forbes-iPhoneSMS). An SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser. Vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages(Citation: SRLabs-SIMCard).",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1477",
"external_id": "T1477"
},
{
"description": "Gal Beniamini. (2017, April 4). Over The Air: Exploiting Broadcom's Wi-Fi Stack. Retrieved November 8, 2018.",
"url": "https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html",
"source_name": "ProjectZero-BroadcomWiFi"
},
{
"source_name": "Register-BaseStation",
"description": "D. Pauli. (2015, November 12). Samsung S6 calls open to man-in-the-middle base station snooping. Retrieved December 23, 2016.",
"url": "http://www.theregister.co.uk/2015/11/12/mobile_pwn2own1/"
},
{
"source_name": "Weinmann-Baseband",
"description": "R. Weinmann. (2012, August 6-7). Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks. Retrieved December 23, 2016.",
"url": "https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf"
},
{
"source_name": "Forbes-iPhoneSMS",
"description": "Andy Greenberg. (2009, July 28). How to Hijack 'Every iPhone In The World'. Retrieved December 23, 2016.",
"url": "http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html"
},
{
"source_name": "SRLabs-SIMCard",
"description": "SRLabs. (n.d.). SIM cards are prone to remote hacking. Retrieved December 23, 2016.",
"url": "https://srlabs.de/bites/rooting-sim-cards/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "initial-access"
}
],
"modified": "2019-02-03T15:19:22.439Z",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-T1080"
},
{
"id": "attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9",
"name": "Fake Developer Accounts",
"revoked": true,
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1442",
"external_id": "T1442"
}
],
"x_mitre_old_attack_id": "MOB-T1045",
"type": "attack-pattern",
"modified": "2018-10-17T01:05:10.701Z",
"created": "2017-10-25T14:48:28.786Z"
},
{
"id": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "File and Directory Discovery",
"description": "On Android, command line tools or the Java file APIs can be used to enumerate file system contents. However, Linux file permissions and SELinux policies generally strongly restrict what can be accessed by apps (without taking advantage of a privilege escalation exploit). The contents of the external storage directory are generally visible, which could present concern if sensitive data is inappropriately stored there.\n\niOS's security architecture generally restricts the ability to perform file and directory discovery without use of escalated privileges.",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1420",
"external_id": "T1420"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.0",
"x_mitre_old_attack_id": "MOB-T1023",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "discovery"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:21.965Z"
},
{
"external_references": [
{
"source_name": "mitre-mobile-attack",
"external_id": "T1541",
"url": "https://attack.mitre.org/techniques/T1541"
},
{
"external_id": "APP-19",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html"
},
{
"source_name": "Android-SensorsOverview",
"url": "https://developer.android.com/guide/topics/sensors/sensors_overview#sensors-practices",
"description": "Google. (n.d.). Sensors Overview. Retrieved November 19, 2019."
},
{
"source_name": "Android-ForegroundServices",
"url": "https://developer.android.com/guide/components/services.html#Foreground",
"description": "Google. (n.d.). Services overview. Retrieved November 19, 2019."
},
{
"source_name": "BlackHat Sutter Android Foreground 2019",
"url": "https://i.blackhat.com/eu-19/Thursday/eu-19-Sutter-Simple-Spyware-Androids-Invisible-Foreground-Services-And-How-To-Abuse-Them.pdf",
"description": "Thomas Sutter. (2019, December). Simple Spyware Androids Invisible Foreground Services and How to (Ab)use Them. Retrieved December 26, 2019."
},
{
"source_name": "TrendMicro-Yellow Camera",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/fake-photo-beautification-apps-on-google-play-can-read-sms-verification-code-to-trigger-wireless-application-protocol-wap-carrier-billing/",
"description": "Song Wang. (2019, October 18). Fake Photo Beautification Apps on Google Play can Read SMS Verification Code to Trigger Wireless Application Protocol (WAP)/Carrier Billing. Retrieved November 19, 2019."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Foreground Persistence",
"description": "Adversaries may abuse Android's `startForeground()` API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope.(Citation: Android-SensorsOverview) Applications can retain sensor access by running in the foreground, using Android\u2019s `startForeground()` API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user.(Citation: Android-ForegroundServices)\n\nMalicious applications may abuse the `startForeground()` API method to continue running in the foreground, while presenting a notification to the user pretending to be a genuine application. This would allow unhindered access to the device\u2019s sensors, assuming permission has been previously granted.(Citation: BlackHat Sutter Android Foreground 2019)\n\nMalicious applications may also abuse the `startForeground()` API to inform the Android system that the user is actively interacting with the application, thus preventing it from being killed by the low memory killer.(Citation: TrendMicro-Yellow Camera)",
"id": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "persistence"
}
],
"modified": "2019-12-26T16:14:33.302Z",
"created": "2019-11-19T17:32:20.373Z",
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false,
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_detection": "Users can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong.",
"x_mitre_contributors": [
"Lorin Wu, Trend Micro"
],
"x_mitre_platforms": [
"Android"
]
},
{
"id": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Generate Fraudulent Advertising Revenue",
"description": "An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1472",
"external_id": "T1472"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "impact"
}
],
"modified": "2019-07-03T20:21:22.168Z",
"created": "2017-10-25T14:48:18.937Z",
"x_mitre_old_attack_id": "MOB-T1075",
"x_mitre_version": "1.0",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android",
"iOS"
]
},
{
"external_references": [
{
"source_name": "mitre-mobile-attack",
"external_id": "T1581",
"url": "https://attack.mitre.org/techniques/T1581"
},
{
"source_name": "Lookout eSurv",
"url": "https://blog.lookout.com/esurv-research",
"description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."
},
{
"source_name": "Android Geofencing API",
"url": "https://developer.android.com/training/location/geofencing",
"description": "Google. (n.d.). Create and monitor geofences. Retrieved September 11, 2020."
},
{
"source_name": "Apple Location Services",
"url": "https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services",
"description": "Apple. (n.d.). Requesting Authorization for Location Services. Retrieved September 11, 2020."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Geofencing",
"description": "Adversaries may use a device\u2019s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device\u2019s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements.\n\nOne method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1581) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1581) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include \u201cAllow only while using the app\u201d, which will effectively prohibit background location collection.(Citation: Android Geofencing API)\n\nSimilarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call `requestWhenInUseAuthorization()` or `requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device\u2019s location, including one-time use and only when the application is running in the foreground.(Citation: Apple Location Services)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific [Input Prompt](https://attack.mitre.org/techniques/T1411)s and/or advertisements.",
"id": "attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
}
],
"modified": "2020-10-01T12:43:41.494Z",
"created": "2020-09-11T15:04:14.532Z",
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false,
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_detection": "Users can review which applications have location permissions in the operating system\u2019s settings menu. On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background.",
"x_mitre_platforms": [
"Android",
"iOS"
]
},
{
"id": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Input Capture",
"description": "Adversaries may capture user input to obtain credentials or other information from the user through various methods.\n\nMalware may masquerade as a legitimate third-party keyboard to record user keystrokes.(Citation: Zeltser-Keyboard) On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.\n\nOn Android, malware may abuse accessibility features to record keystrokes by registering an `AccessibilityService` class, overriding the `onAccessibilityEvent` method, and listening for the `AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED` event type. The event object passed into the function will contain the data that the user typed.\n\nAdditional methods of keylogging may be possible if root access is available.",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1417",
"external_id": "T1417"
},
{
"url": "https://zeltser.com/third-party-keyboards-security/",
"description": "Lenny Zeltser. (2016, July 30). Security of Third-Party Keyboard Apps on Mobile Devices. Retrieved December 21, 2016.",
"source_name": "Zeltser-Keyboard"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
}
],
"modified": "2020-06-24T15:09:12.483Z",
"created": "2017-10-25T14:48:27.660Z",
"x_mitre_is_subtechnique": false,
"x_mitre_detection": "On Android, users can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, users can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. On Android, users can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.",
"x_mitre_old_attack_id": "MOB-T1020",
"x_mitre_version": "2.1",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android",
"iOS"
]
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1516",
"source_name": "mitre-mobile-attack",
"external_id": "T1516"
},
{
"description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.",
"url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/",
"source_name": "android-trojan-steals-paypal-2fa"
},
{
"description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
"url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
"source_name": "Talos Gustuff Apr 2019"
},
{
"description": "Bitwarden. (n.d.). Auto-fill logins on Android . Retrieved September 15, 2019.",
"url": "https://help.bitwarden.com/article/auto-fill-android/",
"source_name": "bitwarden autofill logins"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Input Injection",
"description": "A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs.\n\n[Input Injection](https://attack.mitre.org/techniques/T1516) can be achieved using any of the following methods:\n\n* Mimicking user clicks on the screen, for example to steal money from a user's PayPal account.(Citation: android-trojan-steals-paypal-2fa)\n* Injecting global actions, such as `GLOBAL_ACTION_BACK` (programatically mimicking a physical back button press), to trigger actions on behalf of the user.(Citation: Talos Gustuff Apr 2019)\n* Inserting input into text fields on behalf of the user. This method is used legitimately to auto-fill text fields by applications such as password managers.(Citation: bitwarden autofill logins)",
"id": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "impact"
}
],
"modified": "2020-06-24T15:02:13.323Z",
"created": "2019-09-15T15:26:22.356Z",
"x_mitre_is_subtechnique": false,
"x_mitre_version": "1.1",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_detection": "Users can view applications that have registered accessibility services in the accessibility menu within the device settings.",
"x_mitre_contributors": [
"Luk\u00e1\u0161 \u0160tefanko, ESET"
],
"x_mitre_platforms": [
"Android"
]
},
{
"id": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Input Prompt",
"description": "The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Adversaries may mimic this functionality to prompt users for sensitive information.\n\nCompared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique\u2019s use.(Citation: Felt-PhishingOnMobileDevices)\n\nSpecific approaches to this technique include:\n\n### Impersonate the identity of a legitimate application\n\nA malicious application could impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and get installed on the device. The malicious app could then prompt the user for sensitive information.(Citation: eset-finance)\n\n### Display a prompt on top of a running legitimate application\n\nA malicious application could display a prompt on top of a running legitimate application to trick users into entering sensitive information into the malicious application rather than the legitimate application. Typically, the malicious application would need to know when the targeted application (and individual activity within the targeted application) is running in the foreground, so that the malicious application knows when to display its prompt. Android 5.0 and 5.1.1, respectively, increased the difficulty of determining the current foreground application through modifications to the `ActivityManager` API.(Citation: Android-getRunningTasks)(Citation: StackOverflow-getRunningAppProcesses). A malicious application can still abuse Android\u2019s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Approaches to display a prompt include:\n\n* A malicious application could start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* A malicious application could create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions, and at least under certain conditions is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)\n\n### Fake device notifications\n\nA malicious application could send fake device notifications to the user. Clicking on the device notification could trigger the malicious application to display an input prompt.(Citation: Group IB Gustuff Mar 2019)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1411",
"external_id": "T1411"
},
{
"external_id": "APP-31",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html"
},
{
"url": "http://w2spconf.com/2011/papers/felt-mobilephishing.pdf",
"description": "A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016.",
"source_name": "Felt-PhishingOnMobileDevices"
},
{
"url": "https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/",
"description": "Luk\u00e1\u0161 \u0160tefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018.",
"source_name": "eset-finance"
},
{
"url": "https://developer.android.com/reference/android/app/ActivityManager.html#getRunningTasks%28int%29",
"description": "Android. (n.d.). ActivityManager getRunningTasks documentation. Retrieved January 19, 2017.",
"source_name": "Android-getRunningTasks"
},
{
"url": "http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packag",
"description": "Various. (n.d.). Android 5.1.1 and above - getRunningAppProcesses() returns my application package only. Retrieved January 19, 2017.",
"source_name": "StackOverflow-getRunningAppProcesses"
},
{
"source_name": "ThreatFabric Cerberus",
"url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
"description": "ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019."
},
{
"source_name": "Hassell-ExploitingAndroid",
"description": "R. Hassell. (2011, October 12-13). Exploiting Androids for Fun and Profit. Retrieved October 10, 2019.",
"url": "https://conference.hitb.org/hitbsecconf2011kul/materials/D1T1%20-%20Riley%20Hassell%20-%20Exploiting%20Androids%20for%20Fun%20and%20Profit.pdf"
},
{
"source_name": "Android Background",
"url": "https://developer.android.com/guide/components/activities/background-starts",
"description": "Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019."
},
{
"source_name": "Cloak and Dagger",
"url": "http://cloak-and-dagger.org/",
"description": "Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 18, 2019."
},
{
"source_name": "NowSecure Android Overlay",
"url": "https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/",
"description": "Ramirez, T.. (2017, May 25). \u2018SAW\u2019-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019."
},
{
"url": "https://www.skycure.com/blog/accessibility-clickjacking/",
"description": "Yair Amit. (2016, March 3). \u201cAccessibility Clickjacking\u201d \u2013 The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.",
"source_name": "Skycure-Accessibility"
},
{
"source_name": "XDA Bubbles",
"url": "https://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/",
"description": "Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019."
},
{
"description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named \u00abGustuff\u00bb capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.",
"url": "https://www.group-ib.com/blog/gustuff",
"source_name": "Group IB Gustuff Mar 2019"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
}
],
"modified": "2020-06-24T15:04:20.321Z",
"created": "2017-10-25T14:48:34.407Z",
"x_mitre_is_subtechnique": false,
"x_mitre_detection": "The user can view and manage which applications hold the SYSTEM_ALERT_WINDOW permission to create overlay windows on top of other apps through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions).",
"x_mitre_old_attack_id": "MOB-T1014",
"x_mitre_version": "2.1",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android",
"iOS"
]
},
{
"id": "attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799",
"name": "Insecure Third-Party Libraries",
"revoked": true,
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1425",
"external_id": "T1425"
}
],
"x_mitre_old_attack_id": "MOB-T1028",
"type": "attack-pattern",
"modified": "2018-10-17T01:05:10.699Z",
"created": "2017-10-25T14:48:30.462Z"
},
{
"id": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Install Insecure or Malicious Configuration",
"description": "An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings. The device user may be tricked into installing the configuration settings through social engineering techniques (Citation: Symantec-iOSProfile).\n\nFor example, an unwanted Certification Authority (CA) certificate could be placed in the device's trusted certificate store, increasing the device's susceptibility to man-in-the-middle network attacks seeking to eavesdrop on or manipulate the device's network communication ([Eavesdrop on Insecure Network Communication](https://attack.mitre.org/techniques/T1439) and [Manipulate Device Communication](https://attack.mitre.org/techniques/T1463)).\n\nOn iOS, malicious Configuration Profiles could contain unwanted Certification Authority (CA) certificates or other insecure settings such as unwanted proxy server or VPN settings to route the device's network traffic through an adversary's system. The device could also potentially be enrolled into a malicious Mobile Device Management (MDM) system (Citation: Talos-MDM).",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1478",
"external_id": "T1478"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html",
"external_id": "STA-7"
},
{
"source_name": "Symantec-iOSProfile",
"description": "Yair Amit. (2013, March 12). Malicious Profiles \u2013 The Sleeping Giant of iOS Security. Retrieved September 24, 2018.",
"url": "https://www.symantec.com/connect/blogs/malicious-profiles-sleeping-giant-ios-security"
},
{
"source_name": "Talos-MDM",
"description": "Warren Mercer, Paul Rascagneres, Andrew Williams. (2018, July 12). Advanced Mobile Malware Campaign in India uses Malicious MDM. Retrieved September 24, 2018.",
"url": "https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": "On Android, the user can view trusted CA certificates through the device settings and look for unexpected certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies.\n\nOn iOS, the user can view installed Configuration Profiles through the device settings and look for unexpected profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.0",
"x_mitre_old_attack_id": "MOB-T1081",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "initial-access"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Jamming or Denial of Service",
"description": "An attacker could jam radio signals (e.g. Wi-Fi, cellular, GPS) to prevent the mobile device from communicating. (Citation: NIST-SP800187)(Citation: CNET-Celljammer)(Citation: NYTimes-Celljam)(Citation: Digitaltrends-Celljam)(Citation: Arstechnica-Celljam)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1464",
"external_id": "T1464"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "CEL-7"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-8.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "CEL-8"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-5.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "LPN-5"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/gps-threats/GPS-0.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "GPS-0"
},
{
"source_name": "NIST-SP800187",
"description": "Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017.",
"url": "http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf"
},
{
"description": "Chris Matyszczyk. (2014, May 1). FCC: Man used device to jam drivers' cell phone calls. Retrieved November 8, 2018.",
"url": "https://www.cnet.com/news/man-put-cell-phone-jammer-in-car-to-stop-driver-calls-fcc-says/",
"source_name": "CNET-Celljammer"
},
{
"description": "Matt Richtel. (2007, November 4). Devices Enforce Silence of Cellphones, Illegally. Retrieved November 8, 2018.",
"url": "https://www.nytimes.com/2007/11/04/technology/04jammer.html",
"source_name": "NYTimes-Celljam"
},
{
"description": "Trevor Mogg. (2015, June 5). Florida teacher punished after signal-jamming his students\u2019 cell phones. Retrieved November 8, 2018.",
"url": "https://www.digitaltrends.com/mobile/florida-teacher-punished-after-signal-jamming-his-students-cell-phones/",
"source_name": "Digitaltrends-Celljam"
},
{
"description": "David Kravets. (2016, March 10). Man accused of jamming passengers\u2019 cell phones on Chicago subway. Retrieved November 8, 2018.",
"url": "https://arstechnica.com/tech-policy/2016/03/man-accused-of-jamming-passengers-cell-phones-on-chicago-subway/",
"source_name": "Arstechnica-Celljam"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "network-effects"
}
],
"modified": "2019-02-03T14:15:21.946Z",
"created": "2017-10-25T14:48:25.740Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-T1067"
},
{
"external_references": [
{
"source_name": "mitre-mobile-attack",
"external_id": "T1579",
"url": "https://attack.mitre.org/techniques/T1579"
},
{
"external_id": "AUT-11",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html"
},
{
"source_name": "Apple Keychain Services",
"url": "https://developer.apple.com/documentation/security/keychain_services",
"description": "Apple, Inc.. (n.d.). Keychain Services. Retrieved June 24, 2020."
},
{
"source_name": "Elcomsoft Decrypt Keychain",
"url": "https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/",
"description": "V. Katalov. (2018, December 18). Six Ways to Decrypt iPhone Passwords from the Keychain. Retrieved June 24, 2020."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Keychain",
"description": "Adversaries may collect the keychain storage data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials.\n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, an adversary can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain)",
"id": "attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
}
],
"modified": "2020-06-24T19:02:46.237Z",
"created": "2020-06-24T17:33:49.778Z",
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false,
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_detection": "Mobile security products can potentially detect jailbroken devices and perform further actions as necessary.",
"x_mitre_platforms": [
"iOS"
]
},
{
"id": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Location Tracking",
"description": "An adversary could use a malicious or exploited application to surreptitiously track the device's physical location through use of standard operating system APIs.",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1430",
"external_id": "T1430"
},
{
"external_id": "APP-24",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-24.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "discovery"
}
],
"modified": "2019-10-15T20:01:06.186Z",
"created": "2017-10-25T14:48:12.267Z",
"x_mitre_old_attack_id": "MOB-T1033",
"x_mitre_version": "1.0",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access device location through the device settings screen, and the user can choose to revoke the permissions."
},
{
"id": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Lockscreen Bypass",
"description": "An adversary with physical access to a mobile device may seek to bypass the device's lockscreen.\n\n### Biometric Spoofing\nIf biometric authentication is used, an adversary could attempt to spoof a mobile device's biometric authentication mechanism(Citation: SRLabs-Fingerprint)(Citation: SecureIDNews-Spoof)(Citation: TheSun-FaceID).\n\niOS partly mitigates this attack by requiring the device passcode rather than a fingerprint to unlock the device after every device restart and after 48 hours since the device was last unlocked (Citation: Apple-TouchID). Android has similar mitigations.\n\n### Device Unlock Code Guessing or Brute Force\nAn adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (\"shoulder surfing\") the device owner's use of the lockscreen passcode. \n\n### Exploit Other Device Lockscreen Vulnerabilities\nTechniques have periodically been demonstrated that exploit vulnerabilities on Android (Citation: Wired-AndroidBypass), iOS (Citation: Kaspersky-iOSBypass), or other mobile devices to bypass the device lockscreen. The vulnerabilities are generally patched by the device/operating system vendor once they become aware of their existence.",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1461",
"external_id": "T1461"
},
{
"source_name": "SRLabs-Fingerprint",
"description": "SRLabs. (n.d.). Fingerprints are not fit for secure device unlocking. Retrieved December 23, 2016.",
"url": "https://srlabs.de/bites/spoofing-fingerprints/"
},
{
"source_name": "SecureIDNews-Spoof",
"description": "Zack Martin. (2016, March 11). Another spoof of mobile biometrics. Retrieved September 18, 2018.",
"url": "https://thehackernews.com/2016/05/android-kernal-exploit.htmlhttps://www.secureidnews.com/news-item/another-spoof-of-mobile-biometrics/"
},
{
"source_name": "TheSun-FaceID",
"description": "Sean Keach. (2018, February 15). Brit mates BREAK Apple\u2019s face unlock and vow to never buy iPhone again. Retrieved September 18, 2018.",
"url": "https://www.thesun.co.uk/tech/5584082/iphone-x-face-unlock-tricked-broken/"
},
{
"source_name": "Apple-TouchID",
"description": "Apple. (2015, November 3). About Touch ID security on iPhone and iPad. Retrieved December 23, 2016.",
"url": "https://support.apple.com/en-us/HT204587"
},
{
"source_name": "Wired-AndroidBypass",
"description": "Andy Greenberg. (2015, September 15). Hack Brief: Emergency Number Hack Bypasses Android Lock Screens. Retrieved December 23, 2016.",
"url": "https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/"
},
{
"source_name": "Kaspersky-iOSBypass",
"description": "Chris Brook. (2016, November 17). iOS 10 Passcode Bypass Can Access Photos, Contacts. Retrieved December 23, 2016.",
"url": "https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "initial-access"
}
],
"modified": "2019-02-03T17:08:07.111Z",
"created": "2017-10-25T14:48:24.488Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-T1064"
},
{
"id": "attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431",
"name": "Malicious Media Content",
"revoked": true,
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1457",
"external_id": "T1457"
}
],
"x_mitre_old_attack_id": "MOB-T1060",
"type": "attack-pattern",
"modified": "2018-10-17T01:05:10.703Z",
"created": "2017-10-25T14:48:19.682Z"
},
{
"created": "2017-10-25T14:48:08.155Z",
"modified": "2019-04-29T19:35:30.985Z",
"type": "attack-pattern",
"id": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d",
"name": "Malicious SMS Message",
"revoked": true,
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1454",
"external_id": "T1454"
}
],
"x_mitre_old_attack_id": "MOB-T1057"
},
{
"id": "attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc",
"name": "Malicious Software Development Tools",
"revoked": true,
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1462",
"external_id": "T1462"
}
],
"x_mitre_old_attack_id": "MOB-T1065",
"type": "attack-pattern",
"modified": "2018-10-17T01:05:10.704Z",
"created": "2017-10-25T14:48:24.905Z"
},
{
"id": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df",
"name": "Malicious or Vulnerable Built-in Device Functionality",
"revoked": true,
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1473",
"external_id": "T1473"
}
],
"x_mitre_old_attack_id": "MOB-T1076",
"type": "attack-pattern",
"modified": "2018-10-17T01:05:10.704Z",
"created": "2017-10-25T14:48:09.446Z"
},
{
"id": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Manipulate App Store Rankings or Ratings",
"description": "An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1452",
"external_id": "T1452"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "impact"
}
],
"modified": "2019-07-03T20:25:59.845Z",
"created": "2017-10-25T14:48:07.460Z",
"x_mitre_old_attack_id": "MOB-T1055",
"x_mitre_version": "1.0",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android",
"iOS"
]
},
{
"id": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Manipulate Device Communication",
"description": "If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to man-in-the-middle attacks (Citation: FireEye-SSL).",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1463",
"external_id": "T1463"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html",
"external_id": "APP-1"
},
{
"source_name": "FireEye-SSL",
"description": "Adrian Mettler, Yulong Zhang, Vishwanath Raman. (2014, August 20). SSL VULNERABILITIES: WHO LISTENS WHEN ANDROID APPLICATIONS TALK?. Retrieved December 24, 2016.",
"url": "https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"x_mitre_version": "1.0",
"x_mitre_old_attack_id": "MOB-T1066",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "network-effects"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:25.322Z"
},
{
"id": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Masquerade as Legitimate Application",
"description": "An adversary could distribute developed malware by masquerading the malware as a legitimate application. This can be done in two different ways: by embedding the malware in a legitimate application, or by pretending to be a legitimate application.\n\nEmbedding the malware in a legitimate application is done by downloading the application, disassembling it, adding the malicious code, and then re-assembling it.(Citation: Zhou) The app would appear to be the original app, but would contain additional malicious functionality. The adversary could then publish the malicious application to app stores or use another delivery method.\n\nPretending to be a legitimate application relies heavily on lack of scrutinization by the user. Typically, a malicious app pretending to be a legitimate one will have many similar details as the legitimate one, such as name, icon, and description.(Citation: Palo Alto HenBox)\n\nMalicious applications may also masquerade as legitimate applications when requesting access to the accessibility service in order to appear as legitimate to the user, increasing the likelihood that the access will be granted.",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"external_id": "T1444",
"url": "https://attack.mitre.org/techniques/T1444"
},
{
"external_id": "APP-31",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html"
},
{
"external_id": "APP-14",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html"
},
{
"url": "http://ieeexplore.ieee.org/document/6234407",
"description": "Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016.",
"source_name": "Zhou"
},
{
"source_name": "Palo Alto HenBox",
"url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/",
"description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "initial-access"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
}
],
"modified": "2020-04-08T15:19:56.147Z",
"created": "2017-10-25T14:48:35.247Z",
"x_mitre_is_subtechnique": false,
"x_mitre_contributors": [
"Alex Hinchliffe, Palo Alto Networks"
],
"x_mitre_old_attack_id": "MOB-T1047",
"x_mitre_version": "2.1",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_detection": "Users can detect malicious applications by watching for nuances that could indicate the application is not the intended one when it is being installed."
},
{
"id": "attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Modify Cached Executable Code",
"description": "ART (the Android Runtime) compiles optimized code on the device itself to improve performance. An adversary may be able to use escalated privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.(Citation: Sabanal-ART)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1403",
"external_id": "T1403"
},
{
"url": "https://www.blackhat.com/docs/asia-15/materials/asia-15-Sabanal-Hiding-Behind-ART-wp.pdf",
"description": "Paul Sabanal. (2015). Hiding Behind ART. Retrieved December 21, 2016.",
"source_name": "Sabanal-ART"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "persistence"
}
],
"modified": "2019-10-09T19:39:32.872Z",
"created": "2017-10-25T14:48:29.092Z",
"x_mitre_detection": "Modifications to cached executable code can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversary behavior.",
"x_mitre_old_attack_id": "MOB-T1006",
"x_mitre_version": "1.1",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android"
]
},
{
"id": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Modify OS Kernel or Boot Partition",
"description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device kernel or other boot partition components, where the code may evade detection, may persist after device resets, and may not be removable by the device user. In some cases (e.g., the Samsung Knox warranty bit as described under Detection), the attack may be detected but could result in the device being placed in a state that no longer allows certain functionality.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes, but doing so introduces the potential ability for others to maliciously update the kernel or other boot partition code.\n\nIf the bootloader is not unlocked, it may still be possible to exploit device vulnerabilities to update the code.",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1398",
"external_id": "T1398"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html",
"external_id": "APP-26"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html",
"external_id": "APP-27"
},
{
"source_name": "Samsung-KnoxWarrantyBit",
"description": "Samsung. (n.d.). What is a Knox Warranty Bit and how is it triggered?. Retrieved December 21, 2016.",
"url": "https://www2.samsungknox.com/en/faq/what-knox-warranty-bit-and-how-it-triggered"
},
{
"source_name": "Apple-iOSSecurityGuide",
"description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016.",
"url": "https://www.apple.com/business/docs/iOS_Security_Guide.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": "The Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices. Samsung KNOX also provides a remote attestation capability on supported Samsung Android devices.\n\nSamsung KNOX devices include a non-reversible Knox warranty bit fuse that is triggered \"if a non-Knox kernel has been loaded on the device\" (Citation: Samsung-KnoxWarrantyBit). If triggered, enterprise Knox container services will no longer be available on the device.\n\nAs described in the iOS Security Guide (Citation: Apple-iOSSecurityGuide), iOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.\n\nMany enterprise applications perform their own checks to detect and respond to compromised devices. These checks are not foolproof but can detect common signs of compromise.",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.0",
"x_mitre_old_attack_id": "MOB-T1001",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "persistence"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:31.294Z"
},
{
"created": "2017-10-25T14:48:30.890Z",
"modified": "2019-09-04T13:35:57.549Z",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "impact"
}
],
"type": "attack-pattern",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1400",
"external_id": "T1400"
},
{
"external_id": "APP-27",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html"
},
{
"url": "https://source.android.com/security/verifiedboot/",
"description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.",
"source_name": "Android-VerifiedBoot"
},
{
"url": "https://www.apple.com/business/docs/iOS_Security_Guide.pdf",
"description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016.",
"source_name": "Apple-iOSSecurityGuide"
}
],
"description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.",
"name": "Modify System Partition",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"x_mitre_detection": "Android devices with the Verified Boot capability (Citation: Android-VerifiedBoot) perform cryptographic checks of the integrity of the system partition.\n\nThe Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices.\n\nSamsung KNOX also provides a remote attestation capability on supported Samsung Android devices.\n\niOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.(Citation: Apple-iOSSecurityGuide)",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.2",
"x_mitre_old_attack_id": "MOB-T1003"
},
{
"id": "attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Modify Trusted Execution Environment",
"description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.(Citation: Roth-Rootkits)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1399",
"external_id": "T1399"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-27"
},
{
"source_name": "Roth-Rootkits",
"description": "Thomas Roth. (2013). Next generation mobile rootkits. Retrieved December 21, 2016.",
"url": "https://hackinparis.com/data/slides/2013/Slidesthomasroth.pdf"
},
{
"source_name": "Apple-iOSSecurityGuide",
"description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016.",
"url": "https://www.apple.com/business/docs/iOS_Security_Guide.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "persistence"
}
],
"modified": "2019-02-03T14:23:10.576Z",
"created": "2017-10-25T14:48:18.583Z",
"x_mitre_detection": "Devices may perform cryptographic integrity checks of code running within the TEE at boot time.\n\niOS devices will fail to boot if the software running within the Secure Enclave does not pass signature verification.(Citation: Apple-iOSSecurityGuide)",
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-T1002"
},
{
"external_references": [
{
"source_name": "mitre-mobile-attack",
"external_id": "T1575",
"url": "https://attack.mitre.org/techniques/T1575"
},
{
"source_name": "Google NDK Getting Started",
"url": "https://developer.android.com/ndk/guides",
"description": "Google. (2019, December 27). Getting Started with the NDK. Retrieved April 28, 2020."
},
{
"source_name": "MITRE App Vetting Effectiveness",
"url": "https://www.mitre.org/sites/default/files/publications/pr-16-4772-analyzing-effectiveness-mobile-app-vetting-tools-report.pdf",
"description": "M. Peck, C. Northern. (2016, August 22). Analyzing the Effectiveness of App Vetting Tools in the Enterprise. Retrieved April 28, 2020."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Native Code",
"description": "Adversaries may use Android\u2019s Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions. Like system calls on a traditional desktop operating system, native code achieves execution on a lower level than normal Android SDK calls.\n\nThe NDK allows developers to write native code in C or C++ that is compiled directly to machine code, avoiding all intermediate languages and steps in compilation that higher level languages, like Java, typically have. The Java Native Interface (JNI) is the component that allows Java functions in the Android app to call functions in a native library.(Citation: Google NDK Getting Started)\n\nAdversaries may also choose to use native functions to execute malicious code since native actions are typically much more difficult to analyze than standard, non-native behaviors.(Citation: MITRE App Vetting Effectiveness)",
"id": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "execution"
}
],
"modified": "2020-04-28T18:34:15.373Z",
"created": "2020-04-28T14:35:37.309Z",
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false,
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_detection": "This is abuse of standard OS-level APIs and are therefore typically undetectable to the end user.",
"x_mitre_platforms": [
"Android"
]
},
{
"external_references": [
{
"external_id": "T1507",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1507"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Network Information Discovery",
"description": "Adversaries may use device sensors to collect information about nearby networks, such as Wi-Fi and Bluetooth.",
"id": "attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
}
],
"modified": "2019-07-10T15:18:16.753Z",
"created": "2019-07-10T15:18:16.753Z",
"x_mitre_version": "1.0",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android"
]
},
{
"id": "attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Network Service Scanning",
"description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1423",
"external_id": "T1423"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.0",
"x_mitre_old_attack_id": "MOB-T1026",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "discovery"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:26.890Z"
},
{
"id": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Network Traffic Capture or Redirection",
"description": "An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.\n\nA malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.\n\nAlternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.\n\nAn adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device's proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.\n\nIf applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1410",
"external_id": "T1410"
},
{
"source_name": "Skycure-Profiles",
"description": "Yair Amit. (2013, March 12). Malicious Profiles - The Sleeping Giant of iOS Security. Retrieved December 22, 2016.",
"url": "https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": "On both Android and iOS the user must grant consent to an app to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is in place.",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.0",
"x_mitre_old_attack_id": "MOB-T1013",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:14.982Z"
},
{
"created": "2017-10-25T14:48:32.328Z",
"modified": "2019-09-23T13:26:01.263Z",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
}
],
"type": "attack-pattern",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1406",
"external_id": "T1406"
},
{
"external_id": "APP-21",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html"
},
{
"url": "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf",
"description": "Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016.",
"source_name": "Rastogi"
},
{
"url": "http://ieeexplore.ieee.org/document/6234407",
"description": "Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016.",
"source_name": "Zhou"
},
{
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/",
"description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.",
"source_name": "TrendMicro-Obad"
},
{
"url": "http://www.slideshare.net/Shakacon/fruit-vs-zombies-defeat-nonjailbroken-ios-malware-by-claud-xiao",
"description": "Claud Xiao. (2016, July). Fruit vs Zombies: Defeat Non-jailbroken iOS Malware. Retrieved December 9, 2016.",
"source_name": "Xiao-iOS"
}
],
"description": "An app could contain malicious code in obfuscated or encrypted form, then deobfuscate or decrypt the code at runtime to evade many app vetting techniques.(Citation: Rastogi) (Citation: Zhou) (Citation: TrendMicro-Obad) (Citation: Xiao-iOS)",
"name": "Obfuscated Files or Information",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "2.0",
"x_mitre_old_attack_id": "MOB-T1009",
"x_mitre_detection": "Malicious obfuscation of files or information can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversary behavior."
},
{
"id": "attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Obtain Device Cloud Backups",
"description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB). Elcomsoft also describes (Citation: Elcomsoft-WhatsApp) obtaining WhatsApp communication histories from backups stored in iCloud.",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1470",
"external_id": "T1470"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-0.html",
"external_id": "ECO-0"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-1.html",
"external_id": "ECO-1"
},
{
"source_name": "Elcomsoft-EPPB",
"description": "Elcomsoft. (n.d.). Elcomsoft Phone Breaker. Retrieved December 29, 2016.",
"url": "https://www.elcomsoft.com/eppb.html"
},
{
"source_name": "Elcomsoft-WhatsApp",
"description": "Oleg Afonin. (2017, July 20). Extract and Decrypt WhatsApp Backups from iCloud. Retrieved July 6, 2018.",
"url": "https://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": "Google provides the ability for users to view their account activity. Apple iCloud also provides notifications to users of account activity.",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"x_mitre_version": "1.0",
"x_mitre_old_attack_id": "MOB-T1073",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "remote-service-effects"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:18.237Z"
},
{
"id": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Process Discovery",
"description": "On Android versions prior to 5, applications can observe information about other processes that are running through methods in the ActivityManager class. On Android versions prior to 7, applications can obtain this information by executing the ps command, or by examining the /proc directory. Starting in Android version 7, use of the Linux kernel's hidepid feature prevents applications (without escalated privileges) from accessing this information (Citation: Android-SELinuxChanges).",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1424",
"external_id": "T1424"
},
{
"source_name": "Android-SELinuxChanges",
"description": "Various. (2016, March 31). Overly restrictive SELinux filesystem permissions in Android N. Retrieved December 21, 2016.",
"url": "https://code.google.com/p/android/issues/detail?id=205565"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.0",
"x_mitre_old_attack_id": "MOB-T1027",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "discovery"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:33.926Z"
},
{
"external_references": [
{
"source_name": "mitre-mobile-attack",
"external_id": "T1544",
"url": "https://attack.mitre.org/techniques/T1544"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or onto the victim\u2019s device.",
"name": "Remote File Copy",
"id": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "command-and-control"
}
],
"modified": "2020-01-21T15:27:30.182Z",
"created": "2020-01-21T15:27:30.182Z",
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false,
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_detection": "Downloading remote files is common application behavior and is therefore typically undetectable to the end user.",
"x_mitre_platforms": [
"Android",
"iOS"
]
},
{
"id": "attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16",
"name": "Remotely Install Application",
"revoked": true,
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1443",
"external_id": "T1443"
}
],
"x_mitre_old_attack_id": "MOB-T1046",
"type": "attack-pattern",
"modified": "2018-10-17T01:05:10.701Z",
"created": "2017-10-25T14:48:34.830Z"
},
{
"id": "attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Remotely Track Device Without Authorization",
"description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.(Citation: Krebs-Location)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1468",
"external_id": "T1468"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "ECO-5"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "EMM-7"
},
{
"description": "Brian Krebs. (2018, May 17). Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site. Retrieved November 8, 2018.",
"url": "https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/",
"source_name": "Krebs-Location"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "remote-service-effects"
}
],
"modified": "2019-02-03T14:16:59.424Z",
"created": "2017-10-25T14:48:21.023Z",
"x_mitre_detection": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-T1071"
},
{
"id": "attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Remotely Wipe Data Without Authorization",
"description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an EMM console could use that access to wipe enrolled devices (Citation: Honan-Hacking).",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1469",
"external_id": "T1469"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html",
"external_id": "ECO-5"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html",
"external_id": "EMM-7"
},
{
"source_name": "Honan-Hacking",
"description": "Mat Honan. (2012, August 6). How Apple and Amazon Security Flaws Led to My Epic Hacking. Retrieved December 29, 2016.",
"url": "https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": "Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"x_mitre_version": "1.0",
"x_mitre_old_attack_id": "MOB-T1072",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "remote-service-effects"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:07.827Z"
},
{
"id": "attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Rogue Cellular Base Station",
"description": "An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. A compromised cellular femtocell could be used to carry out this technique(Citation: Computerworld-Femtocell).",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1467",
"external_id": "T1467"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "CEL-7"
},
{
"source_name": "Computerworld-Femtocell",
"description": "Jaikumar Vijayan. (2013, August 1). Researchers exploit cellular tech flaws to intercept phone calls. Retrieved December 24, 2016.",
"url": "http://www.computerworld.com/article/2484538/cybercrime-hacking/researchers-exploit-cellular-tech-flaws-to-intercept-phone-calls.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "network-effects"
}
],
"modified": "2019-02-03T15:17:11.346Z",
"created": "2017-10-25T14:48:22.296Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-T1070"
},
{
"id": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Rogue Wi-Fi Access Points",
"description": "An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication(Citation: NIST-SP800153)(Citation: Kaspersky-DarkHotel).",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1465",
"external_id": "T1465"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-0.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "LPN-0"
},
{
"source_name": "NIST-SP800153",
"description": "M. Souppaya and K. Scarfone. (2012, February). NIST SP 800-153 Guidelines for Securing Wireless Local Area Networks (WLANs). Retrieved December 24, 2016.",
"url": "http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-153.pdf"
},
{
"source_name": "Kaspersky-DarkHotel",
"description": "Alex Drozhzhin. (2014, November 10). Darkhotel: a spy campaign in luxury Asian hotels. Retrieved December 24, 2016.",
"url": "https://blog.kaspersky.com/darkhotel-apt/6613/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "network-effects"
}
],
"modified": "2019-02-03T15:15:18.023Z",
"created": "2017-10-25T14:48:21.354Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-T1068"
},
{
"id": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "SIM Card Swap",
"description": "An adversary could convince the mobile network operator (e.g. through social networking, forged identification, or insider attacks performed by trusted employees) to issue a new SIM card and associate it with an existing phone number and account (Citation: NYGov-Simswap) (Citation: Motherboard-Simswap2). The adversary could then obtain SMS messages or hijack phone calls intended for someone else (Citation: Betanews-Simswap). \n\nOne use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts, as many online services allow account password resets by sending an authentication code over SMS to a phone number associated with the account (Citation: Guardian-Simswap) (Citation: Motherboard-Simswap1)(Citation: Krebs-SimSwap)(Citation: TechCrunch-SimSwap).",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1451",
"external_id": "T1451"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-22.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "STA-22"
},
{
"source_name": "NYGov-Simswap",
"description": "New York Department of State. (2016, February 12). AT&T SIM-Card Switch Scam. Retrieved August 23, 2016.",
"url": "http://www.dos.ny.gov/consumerprotection/scams/att-sim.html"
},
{
"source_name": "Motherboard-Simswap2",
"description": "Lorenzo Franceschi-Bicchierai. (2018, August 3). How Criminals Recruit Telecom Employees to Help Them Hijack SIM Cards. Retrieved August 11, 2018.",
"url": "https://motherboard.vice.com/en_us/article/3ky5a5/criminals-recruit-telecom-employees-sim-swapping-port-out-scam"
},
{
"source_name": "Betanews-Simswap",
"description": "Alex Cambell. (2016, February 12). Everything you need to know about SIM swap scams. Retrieved December 12, 2016.",
"url": "http://betanews.com/2016/02/12/everything-you-need-to-know-about-sim-swap-scams/"
},
{
"source_name": "Guardian-Simswap",
"description": "Miles Brignall. (2016, April 16). Sim-swap fraud claims another mobile banking victim. Retrieved December 12, 2016.",
"url": "https://www.theguardian.com/money/2016/apr/16/sim-swap-fraud-mobile-banking-fraudsters"
},
{
"source_name": "Motherboard-Simswap1",
"description": "Lorenzo Franceschi-Bicchierai. (2018, July 17). The SIM Hijackers. Retrieved August 11, 2018.",
"url": "https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin"
},
{
"description": "Brian Krebs. (2018, May 18). T-Mobile Employee Made Unauthorized \u2018SIM Swap\u2019 to Steal Instagram Account. Retrieved November 8, 2018.",
"url": "https://krebsonsecurity.com/2018/05/t-mobile-employee-made-unauthorized-sim-swap-to-steal-instagram-account/",
"source_name": "Krebs-SimSwap"
},
{
"description": "John Biggs. (2017, August 23). I was hacked. Retrieved November 8, 2018.",
"url": "https://techcrunch.com/2017/08/23/i-was-hacked/",
"source_name": "TechCrunch-SimSwap"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "network-effects"
}
],
"modified": "2019-02-03T14:13:24.168Z",
"created": "2017-10-25T14:48:20.329Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-T1054"
},
{
"external_references": [
{
"source_name": "mitre-mobile-attack",
"external_id": "T1582",
"url": "https://attack.mitre.org/techniques/T1582"
},
{
"external_id": "APP-16",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-16.html"
},
{
"external_id": "CEL-41",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-41.html"
},
{
"source_name": "SMS KitKat",
"url": "https://android-developers.googleblog.com/2013/10/getting-your-sms-apps-ready-for-kitkat.html",
"description": "S.Main, D. Braun. (2013, October 14). Getting Your SMS Apps Ready for KitKat. Retrieved September 11, 2020."
},
{
"source_name": "Android SmsProvider",
"url": "https://android.googlesource.com/platform/packages/providers/TelephonyProvider/+/7e7c274/src/com/android/providers/telephony/SmsProvider.java",
"description": "Google. (n.d.). SmsProvider.java. Retrieved September 11, 2020."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "SMS Control",
"description": "Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.\n\nThis can be accomplished by requesting the `RECEIVE_SMS` or `SEND_SMS` permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the `SMS_DELIVER` broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device.(Citation: SMS KitKat)(Citation: Android SmsProvider)",
"id": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "impact"
}
],
"modified": "2020-10-22T17:04:15.578Z",
"created": "2020-09-11T15:14:33.730Z",
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false,
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_detection": "Users can view the default SMS handler in system settings.",
"x_mitre_platforms": [
"Android"
]
},
{
"created": "2019-08-08T18:34:14.178Z",
"modified": "2020-06-24T15:03:25.857Z",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
}
],
"type": "attack-pattern",
"id": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
"description": "Adversaries may use screen captures to collect information about applications running in the foreground, capture user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android `MediaProjectionManager` (generally requires the device user to grant consent).(Citation: Fortinet screencap July 2019)(Citation: Android ScreenCap1 2019) Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.(Citation: Lookout-Monokle) An adversary with root access or Android Debug Bridge (adb) access could call the Android `screencap` or `screenrecord` commands.(Citation: Android ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015)",
"name": "Screen Capture",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"external_id": "T1513",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1513"
},
{
"external_id": "APP-40",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-40.html"
},
{
"description": "Dario Durando. (2019, July 3). BianLian: A New Wave Emerges. Retrieved September 4, 2019.",
"url": "https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html",
"source_name": "Fortinet screencap July 2019"
},
{
"description": "Android Developers. (n.d.). Android MediaProjectionManager. Retrieved August 8, 2019.",
"url": "https://developer.android.com/reference/android/media/projection/MediaProjectionManager",
"source_name": "Android ScreenCap1 2019"
},
{
"description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
"url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
"source_name": "Lookout-Monokle"
},
{
"description": "Android Developers. (n.d.). Android Debug Bridge (adb). Retrieved August 8, 2019.",
"url": "https://developer.android.com/studio/command-line/adb",
"source_name": "Android ScreenCap2 2019"
},
{
"source_name": "Trend Micro ScreenCap July 2015",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/",
"description": "Zhang, V. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved August 8, 2019."
}
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.1",
"x_mitre_detection": "The user can view a list of apps with accessibility service privileges in the device settings.",
"x_mitre_is_subtechnique": false
},
{
"id": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Standard Application Layer Protocol",
"description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic.\n\nIn the mobile environment, the Google Cloud Messaging (GCM; two-way) and Apple Push Notification Service (APNS; one-way server-to-device) are commonly used protocols on Android and iOS respectively that would blend in with routine device traffic and are difficult for enterprises to inspect. Google reportedly responds to reports of abuse by blocking access to GCM.(Citation: Kaspersky-MobileMalware)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1437",
"external_id": "T1437"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-29"
},
{
"source_name": "Kaspersky-MobileMalware",
"description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.",
"url": "https://securelist.com/mobile-malware-evolution-2013/58335/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "command-and-control"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "exfiltration"
}
],
"modified": "2019-02-03T14:52:45.266Z",
"created": "2017-10-25T14:48:33.158Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-T1040"
},
{
"external_references": [
{
"external_id": "T1521",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1521"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Standard Cryptographic Protocol",
"description": "Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.",
"id": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "command-and-control"
}
],
"modified": "2019-10-01T14:18:47.762Z",
"created": "2019-10-01T14:18:47.762Z",
"x_mitre_version": "1.0",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is undetectable to the user.",
"x_mitre_platforms": [
"Android",
"iOS"
]
},
{
"id": "attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881",
"name": "Stolen Developer Credentials or Signing Keys",
"revoked": true,
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1441",
"external_id": "T1441"
}
],
"x_mitre_old_attack_id": "MOB-T1044",
"type": "attack-pattern",
"modified": "2018-10-17T01:05:10.700Z",
"created": "2017-10-25T14:48:05.928Z"
},
{
"id": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Supply Chain Compromise",
"description": "As further described in [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Somewhat related, adversaries could also identify and exploit inadvertently present vulnerabilities. In many cases, it may be difficult to be certain whether exploitable functionality is due to malicious intent or simply inadvertent mistake.\n\nThird-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities. For example, security issues have previously been identified in third-party advertising libraries incorporated into apps.(Citation: NowSecure-RemoteCode)(Citation: Grace-Advertisement).",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"external_id": "T1474",
"url": "https://attack.mitre.org/techniques/T1474"
},
{
"external_id": "APP-6",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html"
},
{
"source_name": "NowSecure-RemoteCode",
"description": "Ryan Welton. (2015, June 15). A Pattern for Remote Code Execution using Arbitrary File Writes and MultiDex Applications. Retrieved December 22, 2016.",
"url": "https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/"
},
{
"source_name": "Grace-Advertisement",
"description": "M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved December 22, 2016.",
"url": "https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "initial-access"
}
],
"modified": "2020-10-19T18:06:09.010Z",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_is_subtechnique": false,
"x_mitre_old_attack_id": "MOB-T1077",
"x_mitre_version": "1.1",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_detection": "* Insecure third-party libraries could be detected by application vetting techniques. For example, Google's [App Security Improvement Program](https://developer.android.com/google/play/asi) detects the use of third-party libraries with known vulnerabilities within Android apps submitted to the Google Play Store.\n* Malicious software development tools could be detected by enterprises deploying integrity checking software to the computers that they use to develop code to detect presence of unauthorized, modified software development tools."
},
{
"id": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2",
"description": "A malicious application could suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed, and to make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions.\n\nThis behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker)",
"name": "Suppress Application Icon",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"external_id": "T1508",
"url": "https://attack.mitre.org/techniques/T1508"
},
{
"description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.",
"url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/",
"source_name": "android-trojan-steals-paypal-2fa"
},
{
"source_name": "sunny-stolen-credentials",
"url": "https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/",
"description": "Luk\u00e1\u0161 \u0160tefanko. (2017, February 22). Sunny with a chance of stolen credentials: Malicious weather app found on Google Play. Retrieved July 11, 2019."
},
{
"source_name": "bankbot-spybanker",
"url": "https://www.cyber.nj.gov/threat-profiles/android-malware-variants/bankbot-spybanker",
"description": "NJCCIC. (2017, March 2). BankBot/Spy Banker. Retrieved July 11, 2019."
}
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
}
],
"modified": "2019-11-14T18:03:26.460Z",
"created": "2019-07-11T18:09:42.039Z",
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Android"
],
"x_mitre_contributors": [
"Emily Ratliff, IBM"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.1",
"x_mitre_detection": "The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings."
},
{
"created": "2017-10-25T14:48:19.265Z",
"modified": "2019-11-20T19:56:49.109Z",
"kill_chain_phases": [
{
"phase_name": "discovery",
"kill_chain_name": "mitre-mobile-attack"
}
],
"type": "attack-pattern",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"external_id": "T1426",
"url": "https://attack.mitre.org/techniques/T1426"
},
{
"url": "https://developer.android.com/reference/android/os/Build",
"description": "Android. (n.d.). Build. Retrieved December 21, 2016.",
"source_name": "Android-Build"
},
{
"url": "http://stackoverflow.com/questions/7848766/how-can-we-programmatically-detect-which-ios-version-is-device-running-on",
"description": "Stack Overflow. (n.d.). How can we programmatically detect which iOS version is device running on?. Retrieved December 21, 2016.",
"source_name": "StackOverflow-iOSVersion"
}
],
"description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, and architecture.\n\nOn Android, much of this information is programmatically accessible to applications through the android.os.Build class.(Citation: Android-Build)\n\nOn iOS, techniques exist for applications to programmatically access this information.(Citation: StackOverflow-iOSVersion)",
"name": "System Information Discovery",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-T1029",
"x_mitre_is_subtechnique": false
},
{
"id": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "System Network Configuration Discovery",
"description": "On Android, details of onboard network interfaces are accessible to apps through the `java.net.NetworkInterface` class.(Citation: NetworkInterface) The Android `TelephonyManager` class can be used to gather related information such as the IMSI, IMEI, and phone number.(Citation: TelephonyManager)\n\nOn iOS, gathering network configuration information is not possible without root access.",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"external_id": "T1422",
"url": "https://attack.mitre.org/techniques/T1422"
},
{
"url": "https://developer.android.com/reference/java/net/NetworkInterface.html",
"description": "Android. (n.d.). NetworkInterface. Retrieved December 21, 2016.",
"source_name": "NetworkInterface"
},
{
"url": "https://developer.android.com/reference/android/telephony/TelephonyManager.html",
"description": "Android. (n.d.). TelephonyManager. Retrieved December 21, 2016.",
"source_name": "TelephonyManager"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "discovery"
}
],
"modified": "2020-06-02T14:35:01.479Z",
"created": "2017-10-25T14:48:32.740Z",
"x_mitre_is_subtechnique": false,
"x_mitre_old_attack_id": "MOB-T1025",
"x_mitre_version": "2.1",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android",
"iOS"
]
},
{
"id": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "System Network Connections Discovery",
"description": "On Android, applications can use standard APIs to gather a list of network connections to and from the device. For example, the Network Connections app available in the Google Play Store (Citation: ConnMonitor) advertises this functionality.",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1421",
"external_id": "T1421"
},
{
"source_name": "ConnMonitor",
"description": "Anti Spy Mobile. (2016, March 14). Network Connections. Retrieved December 21, 2016.",
"url": "https://play.google.com/store/apps/details?id=com.antispycell.connmonitor&hl=en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "discovery"
}
],
"modified": "2019-02-01T19:34:17.460Z",
"created": "2017-10-25T14:48:33.574Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "2.0",
"x_mitre_old_attack_id": "MOB-T1024"
},
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"external_id": "T1416",
"url": "https://attack.mitre.org/techniques/T1416"
},
{
"source_name": "Trend Micro iOS URL Hijacking",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/",
"description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020."
},
{
"source_name": "IETF-PKCE",
"description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.",
"url": "https://tools.ietf.org/html/rfc7636"
}
],
"description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.\n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)",
"name": "URI Hijacking",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
}
],
"modified": "2020-10-01T12:42:21.628Z",
"created": "2017-10-25T14:48:32.008Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "2.0",
"x_mitre_old_attack_id": "MOB-T1019",
"x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.",
"x_mitre_contributors": [
"Leo Zhang, Trend Micro",
"Steven Du, Trend Micro"
],
"x_mitre_is_subtechnique": false
},
{
"revoked": true,
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1415",
"external_id": "T1415"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "AUT-10"
},
{
"source_name": "FireEye-Masque2",
"description": "Hui Xue, Tao Wei, Yulong Zhang, Song Jin, Zhaofeng Chen. (2015, February 19). IOS MASQUE ATTACK REVIVED: BYPASSING PROMPT FOR TRUST AND APP URL SCHEME HIJACKING. Retrieved December 21, 2016.",
"url": "https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html"
},
{
"source_name": "Dhanjani-URLScheme",
"description": "Nitesh Dhanjani. (2010, November 8). Insecure Handling of URL Schemes in Apple\u2019s iOS. Retrieved December 21, 2016.",
"url": "http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html"
},
{
"source_name": "IETF-PKCE",
"description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.",
"url": "https://tools.ietf.org/html/rfc7636"
},
{
"source_name": "MobileIron-XARA",
"description": "Michael T. Raggo. (2015, October 1). iOS URL Scheme Hijacking (XARA) Attack Analysis and Countermeasures. Retrieved December 21, 2016.",
"url": "https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures"
}
],
"name": "URL Scheme Hijacking",
"id": "attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e",
"type": "attack-pattern",
"modified": "2020-10-23T15:05:40.674Z",
"created": "2017-10-25T14:48:17.533Z",
"x_mitre_old_attack_id": "MOB-T1018"
},
{
"id": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
"description": "Adversaries may use non-standard ports to exfiltrate information.",
"name": "Uncommonly Used Port",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"external_id": "T1509",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/techniques/T1509"
}
],
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "command-and-control"
}
],
"modified": "2019-09-11T13:27:50.344Z",
"created": "2019-08-01T13:44:09.368Z",
"x_mitre_detection": "Detection would most likely be at the enterprise level, through packet and/or netflow inspection. Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.",
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_version": "1.0"
},
{
"external_references": [
{
"source_name": "mitre-mobile-attack",
"external_id": "T1576",
"url": "https://attack.mitre.org/techniques/T1576"
},
{
"external_id": "APP-43",
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Uninstall Malicious Application",
"description": "Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by:\n\n* Abusing device owner permissions to perform silent uninstallation using device owner API calls.\n* Abusing root permissions to delete files from the filesystem.\n* Abusing the accessibility service. This requires an intent be sent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.",
"id": "attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
}
],
"modified": "2020-05-26T18:05:37.393Z",
"created": "2020-05-04T13:49:34.706Z",
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": false,
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android"
]
},
{
"x_mitre_version": "1.0",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"created": "2019-02-01T17:29:43.503Z",
"modified": "2019-02-01T17:29:43.503Z",
"kill_chain_phases": [
{
"phase_name": "command-and-control",
"kill_chain_name": "mitre-mobile-attack"
}
],
"type": "attack-pattern",
"id": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380",
"description": "Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system.\n\nThese commands may also include pointers to command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.\n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).",
"name": "Web Service",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1481",
"source_name": "mitre-mobile-attack",
"external_id": "T1481"
}
]
},
{
"id": "relationship--312950f2-80d2-4941-bfce-b97b2cb7a1ff",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12",
"relationship_type": "uses",
"target_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858",
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"source_name": "Lookout Dark Caracal Jan 2018"
}
],
"description": "(Citation: Lookout Dark Caracal Jan 2018)",
"type": "relationship",
"modified": "2019-07-16T15:35:21.063Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--f4e4c3ae-4c4d-4eba-8330-022464cbf828",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests SMS and MMS messages from victims.(Citation: PaloAlto-SpyDealer)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"source_name": "PaloAlto-SpyDealer"
}
],
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"type": "relationship",
"modified": "2019-10-15T19:37:21.267Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--afc0f502-39bb-41e3-b4fc-5b5bb1a1175b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to record calls as well as the victim device's environment.(Citation: Lookout-StealthMango)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"type": "relationship",
"modified": "2019-10-10T15:27:22.110Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--fe3ac79b-8bd2-4d95-805c-6a38de402add",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "iOS 10.3 and higher add an additional step for users to install new trusted CA certificates to make it more difficult to trick users into installing them. On Android, apps that target compatibility with Android 7 and higher (API Level 24) default to only trusting CA certificates that are bundled with the operating system, not CA certificates that are added by the user or administrator, hence decreasing their susceptibility to successful man-in-the-middle attack.(Citation: Symantec-iOSProfile2)(Citation: Android-TrustedCA)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Symantec-iOSProfile2",
"description": "Brian Duckering. (2017, March 27). Apple iOS 10.3 Finally Battles Malicious Profiles. Retrieved September 24, 2018.",
"url": "https://www.symantec.com/connect/blogs/apple-ios-103-finally-battles-malicious-profiles"
},
{
"source_name": "Android-TrustedCA",
"description": "Chad Brubaker. (2016, July 7). Changes to Trusted Certificate Authorities in Android Nougat. Retrieved September 24, 2018.",
"url": "https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2"
},
{
"id": "relationship--554ec347-c8b2-43da-876b-36608dcc543d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Starting in Android 6.0, applications can no longer access MAC addresses of network interfaces.(Citation: Android60Changes)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://developer.android.com/about/versions/marshmallow/android-6.0-changes.html#behavior-hardware-id",
"description": "Android. (n.d.). Android 6.0 Changes. Retrieved December 21, 2016.",
"source_name": "Android60Changes"
}
],
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"type": "relationship",
"modified": "2020-06-02T14:35:01.819Z",
"created": "2017-10-25T14:48:53.746Z"
},
{
"id": "relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Enterprise policies should prevent enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development).",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"type": "relationship",
"modified": "2020-06-24T15:08:18.481Z",
"created": "2017-10-25T14:48:53.742Z"
},
{
"id": "relationship--ef7f8f51-6aea-4f5c-9c96-f353a14cf062",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"type": "relationship",
"modified": "2019-09-04T13:35:57.919Z",
"created": "2017-10-25T14:48:53.745Z"
},
{
"id": "relationship--18afa4ad-4fd7-47ad-acdb-3b298b640d3c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is auto-rooting adware that embeds itself as a system application, making it nearly impossible to remove.(Citation: Lookout-Adware)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Adware",
"description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--c80a6bef-b3ce-44d0-b113-946e93124898",
"relationship_type": "uses",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0"
},
{
"id": "relationship--f7c5c344-4310-4e2a-a5aa-133f3d132fff",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) can perform GPS location tracking as well as capturing coordinates as when an SMS message or call is received.(Citation: Lookout-StealthMango)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"source_name": "Lookout-StealthMango"
}
],
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"type": "relationship",
"modified": "2019-08-09T17:59:49.021Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--6885280e-5423-422a-94f1-e91d557e043e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[XcodeGhost](https://attack.mitre.org/software/S0297) was injected into apps by a modified version of Xcode (Apple's software development tool).(Citation: PaloAlto-XcodeGhost1)(Citation: PaloAlto-XcodeGhost)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "PaloAlto-XcodeGhost1",
"description": "Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/"
},
{
"source_name": "PaloAlto-XcodeGhost",
"description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9",
"relationship_type": "uses",
"target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad"
},
{
"id": "relationship--4d2d892c-9d3a-445c-b9bf-1eab45703dcc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"type": "relationship",
"modified": "2019-07-03T20:25:14.031Z",
"created": "2017-10-25T14:48:53.740Z"
},
{
"id": "relationship--a8079e6a-ef87-4e3b-9f71-cf1ea2360892",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Adups](https://attack.mitre.org/software/S0309) transmitted contact lists.(Citation: NYTimes-BackDoor)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "NYTimes-BackDoor",
"description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.",
"url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
"relationship_type": "uses",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce"
},
{
"id": "relationship--bee6407a-1f05-4f91-b6e7-a8f8b58fa421",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Charger](https://attack.mitre.org/software/S0323) encodes strings into binary arrays to make it difficult to inspect them. It also loads code from encrypted resources dynamically and includes meaningless commands that mask the actual commands passing through.(Citation: CheckPoint-Charger)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "CheckPoint-Charger",
"description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.",
"url": "http://blog.checkpoint.com/2017/01/24/charger-malware/"
}
],
"source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950",
"relationship_type": "uses",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"type": "relationship",
"modified": "2019-10-09T14:51:42.827Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--efcfe1a3-3351-4b4f-ae36-101f103b4798",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) was placed in a repackaged version of an application used by Ukrainian artillery forces.(Citation: CrowdStrike-Android)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "CrowdStrike-Android",
"description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.",
"url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--56660521-6db4-4e5a-a927-464f22954b7c",
"relationship_type": "uses",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f"
},
{
"id": "relationship--bc0d2cbb-30fa-40e6-a250-bf6e5d8f9005",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Skygofree](https://attack.mitre.org/software/S0327) can be controlled via binary SMS.(Citation: Kaspersky-Skygofree)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/",
"description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.",
"source_name": "Kaspersky-Skygofree"
}
],
"source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
"relationship_type": "uses",
"target_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"type": "relationship",
"modified": "2019-08-09T18:08:07.146Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--db3fc82d-d353-438d-aa5e-9b5e7e60f0ac",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) checks if the device is on Wi-Fi, a cellular network, and is roaming.(Citation: Lookout-PegasusAndroid)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"type": "relationship",
"modified": "2019-08-09T17:52:31.748Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--c761ed82-24cc-4c40-94ef-c4d0f4d1cd7a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Starting in Android 4.1, this technique requires privilege escalation for malicious applications to perform, as apps can no longer access the system log (other than log entries added by a particular app itself). (Additionally, with physical access to the device, the system log could be accessed via USB through the Android Debug Bridge.)(Citation: Android-ReadLogs)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Android-ReadLogs",
"description": "Dianne Hackborn. (2012, July 12). Re: READ_LOGS permission is not granted to 3rd party applications in Jelly Bean (api 16). Retrieved December 21, 2016.",
"url": "https://groups.google.com/d/msg/android-developers/6U4A5irWang/AvZsrTdfICIJ"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:53.739Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3"
},
{
"id": "relationship--0791f28b-d06f-4fee-9cdb-85a6fd2eed61",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[WireLurker](https://attack.mitre.org/software/S0312) monitors for iOS devices connected via USB to an infected OSX computer and installs downloaded third-party applications or automatically generated malicious applications onto the device.(Citation: PaloAlto-WireLurker)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "PaloAlto-WireLurker",
"description": "Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb",
"relationship_type": "uses",
"target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d"
},
{
"id": "relationship--ab7cd212-7faa-46a8-9666-92a67ae7a6b0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7"
},
{
"id": "relationship--681d5e61-9412-4c58-bef1-c6ef7bffcb0c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5"
},
{
"id": "relationship--4df969b3-f5a0-4802-b87e-a458e3e439ed",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Application-layer encryption (e.g. use of the Transport Layer Security protocol) or a Virtual Private Network (VPN) tunnel (e.g. using the IPsec protocol) may help mitigate use of untrusted Wi-Fi networks.",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:53.741Z",
"source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3"
},
{
"id": "relationship--8ed14c81-0b30-4bfc-8552-439aa0e920c3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Adups](https://attack.mitre.org/software/S0309) transmitted location information.(Citation: NYTimes-BackDoor)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "NYTimes-BackDoor",
"description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.",
"url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4"
},
{
"id": "relationship--0f7e7c29-43f0-4aff-ae83-dfff331915ef",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) collects the device's location.(Citation: Zscaler-SpyNote)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Zscaler-SpyNote",
"description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.",
"url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
}
],
"source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"type": "relationship",
"modified": "2019-10-10T15:24:09.248Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--34cd9b65-70c5-4be4-958c-32dc4673934c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) was delivered via an SMS message containing a link to a web site with malicious code.(Citation: PegasusCitizenLab)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/",
"description": "Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group\u2019s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.",
"source_name": "PegasusCitizenLab"
}
],
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5",
"type": "relationship",
"modified": "2020-01-24T13:55:33.483Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--a25d58af-dbb3-4025-b91d-898c6adffcb3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Gooligan](https://attack.mitre.org/software/S0290) steals authentication tokens that can be used to access data from multiple Google applications.(Citation: Gooligan Citation)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Gooligan Citation",
"description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.",
"url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/"
}
],
"source_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de",
"relationship_type": "uses",
"target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"type": "relationship",
"modified": "2019-10-10T15:18:51.121Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--3c291ee5-1782-4e5b-8131-5188c7388f45",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RuMMS](https://attack.mitre.org/software/S0313) gathers the device phone number and IMEI and transmits them to a command and control server.(Citation: FireEye-RuMMS)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "FireEye-RuMMS",
"description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
"relationship_type": "uses",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd"
},
{
"id": "relationship--0008005f-ca51-47c3-8369-55ee5de1c65a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) uses an Android broadcast receiver to automatically start when the device boots.(Citation: Zscaler-SpyNote)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Zscaler-SpyNote",
"description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.",
"url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
}
],
"source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"relationship_type": "uses",
"target_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"type": "relationship",
"modified": "2019-10-10T15:24:09.250Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--2de76a24-ec87-4808-b0d3-b84d318ac22c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[XcodeGhost](https://attack.mitre.org/software/S0297) can read and write data in the user\u2019s clipboard.(Citation: PaloAlto-XcodeGhost)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "PaloAlto-XcodeGhost",
"description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9",
"relationship_type": "uses",
"target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692"
},
{
"id": "relationship--8ccfab20-58cf-4af6-9fb0-6bbf59258ac9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:53.738Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9"
},
{
"id": "relationship--7baa3cab-c4f8-4b91-a6c3-189ad7a6416c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) gathers contacts from the system by dumping the victim's address book.(Citation: Lookout-Pegasus)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce"
},
{
"id": "relationship--b28c1e81-4f78-4e40-9899-2872cdbcceba",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Decrease likelihood of successful privilege escalation attack.",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"type": "relationship",
"modified": "2019-09-18T18:17:43.649Z",
"created": "2017-10-25T14:48:53.736Z"
},
{
"id": "relationship--690111d3-c281-4d55-a7ed-73b8dab72a85",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Application-layer encryption (e.g. use of the Transport Layer Security protocol) or a Virtual Private Network (VPN) tunnel (e.g. using the IPsec protocol) may help mitigate weaknesses in the cellular network encryption.",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:53.741Z",
"source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34"
},
{
"id": "relationship--b81ba10a-73c2-4616-a8bc-eeb422e1c5ea",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) reportedly contained an simple backdoor that could be used to obtain root access. It was believed to have been left in the kernel by mistake by the authors.(Citation: HackerNews-Allwinner)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "HackerNews-Allwinner",
"description": "Mohit Kumar. (2016, May 11). Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker. Retrieved September 18, 2018.",
"url": "https://thehackernews.com/2016/05/android-kernal-exploit.html"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--08784a9d-09e9-4dce-a839-9612398214e8",
"relationship_type": "uses",
"target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad"
},
{
"id": "relationship--980c49f8-d991-4e1f-8feb-6173e3dfca1f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[AndroRAT](https://attack.mitre.org/software/S0292) captures SMS messages.(Citation: Lookout-EnterpriseApps)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060"
},
{
"id": "relationship--fab8c40d-b934-4ee0-8e83-f017af2e347a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Application developers should be discouraged from writing sensitive data to the system log in production apps.",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:53.739Z",
"source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3"
},
{
"id": "relationship--81fb62ac-ba04-48d2-8817-52d0652f61a0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Judy](https://attack.mitre.org/software/S0325) bypasses Google Play's protections by downloading a malicious payload at runtime after installation.(Citation: CheckPoint-Judy)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "CheckPoint-Judy",
"description": "CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018.",
"url": "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--172444ab-97fc-4d94-b142-179452bfb760",
"relationship_type": "uses",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6"
},
{
"id": "relationship--a7b276ac-6f07-4d1f-8d24-dc5682acf62d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses calendar entries.(Citation: Lookout-PegasusAndroid)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb",
"type": "relationship",
"modified": "2019-08-09T17:52:31.783Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--4088b31b-d542-4935-84b4-82b592159591",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can collect contacts and messages from popular applications, including Facebook Messenger, WhatsApp, Skype, Viber, Line, WeChat, Hangouts, Telegram, and BlackBerry Messenger.(Citation: TrendMicro-RCSAndroid)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/",
"description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
"source_name": "TrendMicro-RCSAndroid"
}
],
"source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"relationship_type": "uses",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"type": "relationship",
"modified": "2019-10-10T15:22:52.591Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--a2323d47-348c-4e3c-9c25-7feb20e2e457",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads contact lists for various third-party applications such as Yahoo, AIM, GoogleTalk, Skype, QQ, and others.(Citation: Lookout-StealthMango)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"source_name": "Lookout-StealthMango"
}
],
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"relationship_type": "uses",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"type": "relationship",
"modified": "2019-08-09T17:59:49.034Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--f0851531-e554-4658-920c-f2342632c19a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is packed with at least eight publicly available exploits that can perform rooting.(Citation: Lookout-Adware)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Adware",
"description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--c80a6bef-b3ce-44d0-b113-946e93124898",
"relationship_type": "uses",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172"
},
{
"id": "relationship--fb6458b0-01b8-4c3f-b0f2-ef5d5bd9f6a8",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads SMS messages.(Citation: Lookout-StealthMango)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"source_name": "Lookout-StealthMango"
}
],
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"type": "relationship",
"modified": "2020-09-11T15:55:43.839Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--ee0afd88-a0fc-4b1d-b047-9b9bf04d36fe",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "This mitigation may not always be effective depending on the method used to encrypt network traffic. In some cases, an adversary may be able to capture traffic before it is encrypted.",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:53.737Z",
"source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9"
},
{
"id": "relationship--5f82db63-d7c2-43c7-a056-3cf718201ced",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[DroidJack](https://attack.mitre.org/software/S0320) included code from the legitimate Pokemon GO app in order to appear identical to the user, but it also included additional malicious code.(Citation: Proofpoint-Droidjack)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app",
"description": "Proofpoint. (2016, July 7). DroidJack Uses Side-Load\u2026It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017.",
"source_name": "Proofpoint-Droidjack"
}
],
"source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
"relationship_type": "uses",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"type": "relationship",
"modified": "2019-08-09T18:02:06.717Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--b5097495-f417-46ed-88e2-02cba2371936",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:53.744Z",
"source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--393e8c12-a416-4575-ba90-19cc85656796"
},
{
"id": "relationship--e84ad4b0-9f7a-48a5-89ae-33804b11eb56",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses contact list information.(Citation: Lookout-PegasusAndroid)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"type": "relationship",
"modified": "2019-08-09T17:52:31.764Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--35c67a18-7e8d-4bd5-9fe1-35b1ac3f401f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RedDrop](https://attack.mitre.org/software/S0326) tricks the user into sending SMS messages to premium services and then deletes those messages.(Citation: Wandera-RedDrop)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://www.wandera.com/reddrop-malware/",
"description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.",
"source_name": "Wandera-RedDrop"
}
],
"source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
"relationship_type": "uses",
"target_ref": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
"type": "relationship",
"modified": "2019-09-10T13:14:38.944Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--dfe6d454-1a24-4c42-97eb-4ddfd1dbb09b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Skygofree](https://attack.mitre.org/software/S0327) has the capability to exploit several known vulnerabilities and escalate privileges.(Citation: Kaspersky-Skygofree)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/",
"description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.",
"source_name": "Kaspersky-Skygofree"
}
],
"source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
"relationship_type": "uses",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"type": "relationship",
"modified": "2019-08-09T18:08:07.144Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--833b4c44-7370-4b27-b9b2-a058c27dcf8c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Xbot](https://attack.mitre.org/software/S0298) steals all SMS message and contact information as well as intercepts and parses certain SMS messages.(Citation: PaloAlto-Xbot)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "PaloAlto-Xbot",
"description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060"
},
{
"id": "relationship--b4180067-52b6-4109-91df-52fd9a7ed2e8",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[AndroRAT](https://attack.mitre.org/software/S0292) gathers audio from the microphone.(Citation: Lookout-EnterpriseApps)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760"
},
{
"id": "relationship--4f2ae057-ef0b-4995-b24d-348a76a74a4f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) uses SMS for command and control.(Citation: Lookout-Pegasus)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a"
},
{
"id": "relationship--29dc105c-0b1b-4645-85ef-436c096bd3e2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RuMMS](https://attack.mitre.org/software/S0313) uploads incoming SMS messages to a remote command and control server.(Citation: FireEye-RuMMS)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "FireEye-RuMMS",
"description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060"
},
{
"id": "relationship--fb5c6c5e-53d4-4bb9-b9cf-74170058b19b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) collected and exfiltrated data from the device, including sensitive letters/documents, stored photos, and stored audio files.(Citation: Lookout-StealthMango)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"source_name": "Lookout-StealthMango"
}
],
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"relationship_type": "uses",
"target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"type": "relationship",
"modified": "2019-10-15T19:44:36.125Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--a5b72279-f99e-4f03-8669-04322b40ee6b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[XLoader for Android](https://attack.mitre.org/software/S0318) loads an encrypted DEX code payload.(Citation: TrendMicro-XLoader)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "TrendMicro-XLoader",
"description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/"
}
],
"source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
"relationship_type": "uses",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"type": "relationship",
"modified": "2020-07-20T13:49:03.710Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--b2c61294-707f-4735-8874-e36ed6c1ff47",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5"
},
{
"id": "relationship--85c7e956-3ce5-4495-b52e-385ae2ee4f9b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Charger](https://attack.mitre.org/software/S0323) checks the local settings of the device and does not run its malicious logic if the device is located in Ukraine, Russia, or Belarus.(Citation: CheckPoint-Charger)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "CheckPoint-Charger",
"description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.",
"url": "http://blog.checkpoint.com/2017/01/24/charger-malware/"
}
],
"source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"type": "relationship",
"modified": "2019-10-09T14:51:42.845Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--f6a451e8-2125-4bbe-be52-e682523cd169",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests the device phone number, IMEI, and IMSI.(Citation: PaloAlto-SpyDealer)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"source_name": "PaloAlto-SpyDealer"
}
],
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"type": "relationship",
"modified": "2019-10-15T19:37:21.273Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--51457698-e98b-435a-88c2-75a82cdc2bda",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads call logs.(Citation: Lookout-StealthMango)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"source_name": "Lookout-StealthMango"
}
],
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"relationship_type": "uses",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"type": "relationship",
"modified": "2019-08-09T17:59:49.074Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--1218ed50-bd44-4f37-baba-1aae998b5a1f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Xbot](https://attack.mitre.org/software/S0298) can remotely lock infected Android devices and ask for a ransom.(Citation: PaloAlto-Xbot)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "PaloAlto-Xbot",
"description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4",
"relationship_type": "uses",
"target_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1"
},
{
"id": "relationship--b2b31911-5b7e-4df3-89c6-00b5b372fb4f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:53.741Z",
"source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed"
},
{
"id": "relationship--cda9f3cf-01e4-41b3-8e45-4dda9fe5eb30",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Enterprise policies could be provisioned to devices to control the Wi-Fi access points that they are allowed to connect to.",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3",
"type": "relationship",
"modified": "2020-06-24T15:08:18.504Z",
"created": "2017-10-25T14:48:53.741Z"
},
{
"id": "relationship--24bcb2cd-1532-4e98-a485-a55e06d2577d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7"
},
{
"id": "relationship--aa8e45c2-4276-451b-b1eb-59c396bf720a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Gooligan](https://attack.mitre.org/software/S0290) executes Android root exploits.(Citation: Gooligan Citation)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Gooligan Citation",
"description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.",
"url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/"
}
],
"source_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de",
"relationship_type": "uses",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"type": "relationship",
"modified": "2019-10-10T15:18:51.154Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--54151897-cc7e-4f92-af50-bed41ea78d92",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) uses Google Cloud Messaging (GCM) for command and control.(Citation: Kaspersky-MobileMalware)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Kaspersky-MobileMalware",
"description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.",
"url": "https://securelist.com/mobile-malware-evolution-2013/58335/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--28e39395-91e7-4f02-b694-5e079c964da9",
"relationship_type": "uses",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673"
},
{
"id": "relationship--bbf13431-c3d2-4800-aada-273b3a47dcba",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RuMMS](https://attack.mitre.org/software/S0313) is delivered via an SMS message containing a link to an APK (Android application package).(Citation: FireEye-RuMMS)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "FireEye-RuMMS",
"description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
"relationship_type": "uses",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7"
},
{
"id": "relationship--94040d2e-3f60-423c-8a93-a83b61cafe7d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) update and sends the location of the phone.(Citation: Lookout-Pegasus)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4"
},
{
"id": "relationship--e4019493-bd52-4011-9355-8902be6ff3f3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) registers the broadcast receiver to listen for events related to device boot-up.(Citation: PaloAlto-SpyDealer)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"source_name": "PaloAlto-SpyDealer"
}
],
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"type": "relationship",
"modified": "2019-08-09T17:56:05.617Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--d54bdaff-8eb8-4a02-9f64-bc33c892e9d1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[ZergHelper](https://attack.mitre.org/software/S0287) attempts to extend its capabilities via dynamic updating of its code.(Citation: Xiao-ZergHelper)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Xiao-ZergHelper",
"description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0",
"relationship_type": "uses",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6"
},
{
"id": "relationship--f157970b-4782-46d0-abdd-000ae6eea14b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a"
},
{
"id": "relationship--f0a81b31-97ce-403b-90e9-7a910a93a31f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) was delivered via a spearphishing message containing a malicious Android application as an attachment.(Citation: Kaspersky-WUC)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"
}
],
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"relationship_type": "uses",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"type": "relationship",
"modified": "2019-10-15T19:54:10.222Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--bf2ea132-c8f3-4ea0-8c4c-bdc95923c3b1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can activate the victim's microphone.(Citation: Zscaler-SpyNote)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Zscaler-SpyNote",
"description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.",
"url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
}
],
"source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"type": "relationship",
"modified": "2019-10-10T15:24:09.355Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--34351abd-1f58-420a-a893-ad822839815d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) captures call logs.(Citation: Lookout-Pegasus)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44"
},
{
"id": "relationship--721cc30c-74cf-4eed-89a8-7a8e63e6c0e1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[MazarBOT](https://attack.mitre.org/software/S0303) can intercept two-factor authentication codes sent by online banking apps.(Citation: Tripwire-MazarBOT)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Tripwire-MazarBOT",
"description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.",
"url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060"
},
{
"id": "relationship--0569a1e0-1eb5-4e87-ae09-b698571012ef",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather SMS messages.(Citation: Lookout-StealthMango)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"type": "relationship",
"modified": "2019-10-10T15:27:22.139Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--1cca5e17-80ae-4b6e-8919-2768153aa966",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Xbot](https://attack.mitre.org/software/S0298) uses phishing pages mimicking Google Play's payment interface as well as bank login pages.(Citation: PaloAlto-Xbot)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "PaloAlto-Xbot",
"description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4",
"relationship_type": "uses",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2"
},
{
"id": "relationship--3ebcd3d8-dd8e-4cc9-8087-ce9e93df6f56",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Most new versions of mobile operating systems include patches to newly discovered privilege escalation exploits used to root or jailbreak devices. Further, applications that target Android API level 28 or higher on Android 9.0 and above devices have a policy applied that prevents other applications from reading or writing data in their internal storage directories, regardless of file permissions.(Citation: Android-9.0-API-Changes)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"external_references": [
{
"source_name": "Android-9.0-API-Changes",
"url": "https://developer.android.com/about/versions/pie/android-9.0-changes-28",
"description": "Google. (n.d.). Behavior changes: apps targeting API level 28+. Retrieved September 18, 2019."
}
],
"type": "relationship",
"modified": "2019-10-10T14:17:49.077Z",
"created": "2017-10-25T14:48:53.738Z"
},
{
"id": "relationship--f8277cd5-b14a-4b59-9f29-8ce24dfbdf5e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[ZergHelper](https://attack.mitre.org/software/S0287) apparently evaded Apple's app review process by performing different behaviors for users from different physical locations (e.g. performing differently for users in China versus outside of China), which could have bypassed the review process depending on the country from which it was performed.(Citation: Xiao-ZergHelper)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Xiao-ZergHelper",
"description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0",
"relationship_type": "uses",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a"
},
{
"id": "relationship--6b41d649-bcd0-4427-baa1-15a145bace6e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) downloads and executes root exploits from a remote server.(Citation: PaloAlto-SpyDealer)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"source_name": "PaloAlto-SpyDealer"
}
],
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"type": "relationship",
"modified": "2019-08-09T17:56:05.642Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--8cb42e3d-69f4-4b0d-98c9-0bb7560947c1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can use SMS for command and control.(Citation: TrendMicro-RCSAndroid)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/",
"description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
"source_name": "TrendMicro-RCSAndroid"
}
],
"source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"relationship_type": "uses",
"target_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"type": "relationship",
"modified": "2019-08-09T17:53:48.746Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--a4b53160-fdb8-4cab-90cc-ad12ab13a8a0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"type": "relationship",
"modified": "2019-09-18T18:18:51.036Z",
"created": "2017-10-25T14:48:53.738Z"
},
{
"id": "relationship--7260c8fe-6b3b-48a2-889f-f329fb5b4ef0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Increase difficulty of escalating privileges, as security architecture improvements in each new version of Android and iOS make it more difficult to escalate privileges. Additionally, newer versions of Android have strengthened the sandboxing applied to applications, restricting their ability to enumerate file system contents.",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:53.741Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848"
},
{
"id": "relationship--3b0cb886-dabc-4622-b91f-3851e2a71bf2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) used HTTP uploads to a URL as a command and control mechanism.(Citation: Kaspersky-WUC)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"
}
],
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"relationship_type": "uses",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"type": "relationship",
"modified": "2019-10-15T19:54:10.251Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--78cc0d6d-6347-45a4-a18c-ca76150aa7a9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[BrainTest](https://attack.mitre.org/software/S0293) stores a secondary Android app package (APK) in its assets directory in encrypted form, and decrypts the payload at runtime.(Citation: Lookout-BrainTest)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-BrainTest",
"description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
"relationship_type": "uses",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a"
},
{
"id": "relationship--ac523dfb-36be-4402-acf2-abe98e183eef",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "In July 2016, [HummingBad](https://attack.mitre.org/software/S0322) generated more than $300,000 per month in revenue from installing fraudulent apps and displaying malicious advertisements.(Citation: ArsTechnica-HummingBad)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "ArsTechnica-HummingBad",
"description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.",
"url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--c8770c81-c29f-40d2-a140-38544206b2b4",
"relationship_type": "uses",
"target_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf"
},
{
"id": "relationship--19df76ee-fa85-43cf-96ce-422d46f29a13",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) listens for the BOOT_COMPLETED broadcast intent in order to maintain persistence and activate its functionality at device boot time.(Citation: Lookout-PegasusAndroid)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"type": "relationship",
"modified": "2019-08-09T17:52:31.766Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--c9b3d86a-9c5e-4fe3-9c1c-dbd0bb89a74b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RedDrop](https://attack.mitre.org/software/S0326) collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.(Citation: Wandera-RedDrop)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://www.wandera.com/reddrop-malware/",
"description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.",
"source_name": "Wandera-RedDrop"
}
],
"source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
"relationship_type": "uses",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"type": "relationship",
"modified": "2019-10-15T19:27:27.997Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--7accde36-cb29-43c6-8c66-6486efd867a8",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather GPS coordinates.(Citation: Lookout-StealthMango)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"type": "relationship",
"modified": "2019-10-10T15:27:22.157Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--cd503879-ccb4-4d47-af5a-90fe7e37c438",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests contact lists from victims.(Citation: PaloAlto-SpyDealer)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"source_name": "PaloAlto-SpyDealer"
}
],
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"type": "relationship",
"modified": "2019-08-09T17:56:05.655Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--f989562f-41a8-46d3-94ba-fca7269ae592",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) is delivered via a a watering hole website that mimics the third-party Android app store APKMonk. In at least one case, the watering hole URL was distributed through Facebook Messenger.(Citation: Lookout-StealthMango)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"source_name": "Lookout-StealthMango"
}
],
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"relationship_type": "uses",
"target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
"type": "relationship",
"modified": "2019-08-09T17:59:49.072Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--1c42ee3a-c400-4de6-84aa-b254422af7b9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Judy](https://attack.mitre.org/software/S0325) uses infected devices to generate fraudulent clicks on advertisements to generate revenue.(Citation: CheckPoint-Judy)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "CheckPoint-Judy",
"description": "CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018.",
"url": "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--172444ab-97fc-4d94-b142-179452bfb760",
"relationship_type": "uses",
"target_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf"
},
{
"id": "relationship--9f737872-3503-4ef4-b575-ab6037b33a98",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[KeyRaider](https://attack.mitre.org/software/S0288) has built-in functionality to lock victims out of devices and hold them for ransom.(Citation: Xiao-KeyRaider)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Xiao-KeyRaider",
"description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50",
"relationship_type": "uses",
"target_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1"
},
{
"id": "relationship--d7ae7fb1-c363-4969-a4af-e2dd44a3c064",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) attempts to modify the device's system partition.(Citation: Lookout-PegasusAndroid)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"type": "relationship",
"modified": "2019-08-09T17:52:31.820Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--da4296d7-5fdb-45b6-9791-b023d634c08d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can record location.(Citation: TrendMicro-RCSAndroid)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/",
"description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
"source_name": "TrendMicro-RCSAndroid"
}
],
"source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"type": "relationship",
"modified": "2019-08-09T17:53:48.760Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--74155759-4c76-42d3-b64f-a898f7b582f9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "App developers should be advised to use the Android Network Security Configuration feature and the iOS App Transport Security feature to gain some level of assurance that app network traffic is protected.(Citation: Google-TrustManager)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Google-TrustManager",
"description": "Google. (n.d.). How to fix apps containing an unsafe implementation of TrustManager. Retrieved December 24, 2016.",
"url": "https://support.google.com/faqs/answer/6346016?hl=en"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:53.743Z",
"source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63"
},
{
"id": "relationship--27247071-356b-4b5f-bc8f-6436a3fec095",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[PJApps](https://attack.mitre.org/software/S0291) has the capability to collect and leak the victim's location.(Citation: Lookout-EnterpriseApps)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4"
},
{
"id": "relationship--789cb76e-27b0-4762-a2f7-3ff32ce0762d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[PJApps](https://attack.mitre.org/software/S0291) has the capability to collect and leak the victim's phone number, mobile device unique identifier (IMEI).(Citation: Lookout-EnterpriseApps)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137",
"relationship_type": "uses",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd"
},
{
"id": "relationship--cfa1d194-7401-46ba-bfed-5f311aeb22d3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole contact list data stored both on the the phone and the SIM card.(Citation: Kaspersky-WUC)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"
}
],
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"relationship_type": "uses",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"type": "relationship",
"modified": "2019-10-15T19:54:10.250Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--7d481598-ece7-469c-b231-619a804c25e5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) captures SMS messages that the victim sends or receives.(Citation: Lookout-Pegasus)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060"
},
{
"id": "relationship--1ed76ca9-0ed6-40f9-89c6-64662fdd447d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"type": "relationship",
"modified": "2019-07-03T20:25:14.030Z",
"created": "2017-10-25T14:48:53.740Z"
},
{
"id": "relationship--024f9ee4-cb7d-49f4-b180-ad1e5e168a4c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "As stated in the technical description, Android 7 and above prevent applications from accessing this information.",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:53.747Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19"
},
{
"id": "relationship--3e3cad6c-dd73-43c9-bf99-d4796ba97fb1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c",
"relationship_type": "uses",
"target_ref": "malware--56660521-6db4-4e5a-a927-464f22954b7c",
"external_references": [
{
"url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf",
"description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.",
"source_name": "CrowdStrike-Android"
}
],
"description": "(Citation: CrowdStrike-Android)",
"type": "relationship",
"modified": "2020-03-20T16:37:06.668Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--0cae6859-d7d1-483b-b473-4f32084938a9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) has the ability to record device audio.(Citation: Lookout-PegasusAndroid)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"type": "relationship",
"modified": "2019-08-09T17:52:31.818Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--3d24d88e-a0ab-42c6-8e8f-11f721082bba",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) attempts to exploit well-known Android OS vulnerabilities to escalate privileges.(Citation: Lookout-PegasusAndroid)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"type": "relationship",
"modified": "2019-08-09T17:52:31.838Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--373f33be-9b40-44f5-bfd3-db2a9f5fa72c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[OldBoot](https://attack.mitre.org/software/S0285) uses escalated privileges to modify the init script on the device's boot partition to maintain persistence.(Citation: HackerNews-OldBoot)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "HackerNews-OldBoot",
"description": "Sudhir K Bansal. (2014, January 28). First widely distributed Android bootkit Malware infects more than 350,000 Devices. Retrieved December 21, 2016.",
"url": "http://thehackernews.com/2014/01/first-widely-distributed-android.html"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--2074b2ad-612e-4758-adce-7901c1b49bbc",
"relationship_type": "uses",
"target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5"
},
{
"id": "relationship--5ced57a7-b674-40d4-98b8-a090963a6ade",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) abuses Accessibility features to steal messages from popular apps such as WeChat, Skype, Viber, and QQ.(Citation: PaloAlto-SpyDealer)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"source_name": "PaloAlto-SpyDealer"
}
],
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
"type": "relationship",
"modified": "2019-09-18T13:45:58.872Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--319d46b5-de41-4f23-9001-2fa75f954720",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) uses Google Cloud Messaging (GCM) for command and control.(Citation: Kaspersky-MobileMalware)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Kaspersky-MobileMalware",
"description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.",
"url": "https://securelist.com/mobile-malware-evolution-2013/58335/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17",
"relationship_type": "uses",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673"
},
{
"id": "relationship--dfc1f490-f8b9-4287-8c79-652d42f0a64a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"type": "relationship",
"modified": "2019-09-18T19:02:10.194Z",
"created": "2017-10-25T14:48:53.747Z"
},
{
"id": "relationship--0a28b2f2-ca0e-4d9f-9840-26e8ce944012",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd"
},
{
"id": "relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Some original variants of [BrainTest](https://attack.mitre.org/software/S0293) had the capability to automatically root some devices, but that behavior was not observed in later samples.(Citation: Lookout-BrainTest)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-BrainTest",
"description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
"relationship_type": "uses",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172"
},
{
"id": "relationship--b596251a-73db-4e53-a04d-51be783b0241",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Most [KeyRaider](https://attack.mitre.org/software/S0288) samples hook SSLRead and SSLWrite functions in the itunesstored process to intercept device communication with the Apple App Store.(Citation: Xiao-KeyRaider)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Xiao-KeyRaider",
"description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50",
"relationship_type": "uses",
"target_ref": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9"
},
{
"id": "relationship--22290cce-856a-46d5-9589-699f5dfc1429",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[XLoader for Android](https://attack.mitre.org/software/S0318) covertly records phone calls.(Citation: TrendMicro-XLoader)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "TrendMicro-XLoader",
"description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/"
}
],
"source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"type": "relationship",
"modified": "2020-07-20T13:49:03.687Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--d8d773ab-b0e3-484b-bdb8-c1a1ab48d218",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) uses the commercial rooting app Baidu Easy Root to gain root privilege and maintain persistence on the victim.(Citation: PaloAlto-SpyDealer)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"source_name": "PaloAlto-SpyDealer"
}
],
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"type": "relationship",
"modified": "2019-08-09T17:56:05.686Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--c65661a6-6047-4901-ac2c-3ca4b1bbbb28",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[DroidJack](https://attack.mitre.org/software/S0320) captures call data.(Citation: Zscaler-SuperMarioRun)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://www.zscaler.com/blogs/research/super-mario-run-malware-2-\u2013-droidjack-rat",
"description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.",
"source_name": "Zscaler-SuperMarioRun"
}
],
"source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
"relationship_type": "uses",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"type": "relationship",
"modified": "2019-08-09T18:02:06.715Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--e9cbc901-38cb-4895-9dfb-7a4fe10ba6d7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RedDrop](https://attack.mitre.org/software/S0326) exfiltrates details of the victim device operating system and manufacturer.(Citation: Wandera-RedDrop)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://www.wandera.com/reddrop-malware/",
"description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.",
"source_name": "Wandera-RedDrop"
}
],
"source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
"relationship_type": "uses",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"type": "relationship",
"modified": "2019-10-15T19:56:13.162Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--70367e5c-15e0-4bcd-b538-7a90c4eefd30",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) maintains persistence by installing an Android application package (APK) on the system partition.(Citation: PaloAlto-SpyDealer)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"source_name": "PaloAlto-SpyDealer"
}
],
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"type": "relationship",
"modified": "2019-08-09T17:56:05.685Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--9e66ec3b-cdd6-461c-bd84-e75316818e15",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) was believed to have been used to obtain locational data of Ukrainian artillery forces.(Citation: CrowdStrike-Android)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "CrowdStrike-Android",
"description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.",
"url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--56660521-6db4-4e5a-a927-464f22954b7c",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4"
},
{
"id": "relationship--0977107c-9dd3-4cc5-b769-7e29da9f4bb6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"type": "relationship",
"modified": "2019-09-04T13:35:57.922Z",
"created": "2017-10-25T14:48:53.746Z"
},
{
"id": "relationship--d6930d98-f8a2-4556-baa4-95275d3fa23d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Starting with Android 4.2 the user must provide consent before applications can send SMS messages to premium numbers.(Citation: AndroidSecurity2014)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2014_Report_Final.pdf",
"description": "Google. (2014). Android Security 2014 Year in Review. Retrieved December 12, 2016.",
"source_name": "AndroidSecurity2014"
}
],
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
"type": "relationship",
"modified": "2020-05-04T15:38:57.124Z",
"created": "2017-10-25T14:48:53.735Z"
},
{
"id": "relationship--a7cc0168-247d-4a6d-b6f4-d5a04f99216c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad"
},
{
"id": "relationship--0e9edc13-7af7-43c4-8ec2-636b1f8cb7f1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[BrainTest](https://attack.mitre.org/software/S0293) uses root privileges (if available) to copy an additional Android app package (APK) to /system/priv-app to maintain persistence even after a factory reset.(Citation: Lookout-BrainTest)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-BrainTest",
"description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
"relationship_type": "uses",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0"
},
{
"id": "relationship--789699c2-44f1-4280-bf86-ab23e6a13e84",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads calendar events and reminders.(Citation: Lookout-StealthMango)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"source_name": "Lookout-StealthMango"
}
],
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"relationship_type": "uses",
"target_ref": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb",
"type": "relationship",
"modified": "2019-08-09T17:59:49.091Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--2065382f-45ae-4b9a-a77c-027ecd6c1735",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can collect SMS, MMS, and Gmail messages.(Citation: TrendMicro-RCSAndroid)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/",
"description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
"source_name": "TrendMicro-RCSAndroid"
}
],
"source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"type": "relationship",
"modified": "2019-08-09T17:53:48.762Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--18d3f4c7-2888-4d27-9ac7-b7ade1a1c04c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Adups](https://attack.mitre.org/software/S0309) transmitted the full contents of text messages.(Citation: NYTimes-BackDoor)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "NYTimes-BackDoor",
"description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.",
"url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060"
},
{
"id": "relationship--e87aa0d6-241f-4f72-bdb6-54e8d5584ae2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Adups](https://attack.mitre.org/software/S0309) transmitted call logs.(Citation: NYTimes-BackDoor)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "NYTimes-BackDoor",
"description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.",
"url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
"relationship_type": "uses",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44"
},
{
"id": "relationship--b2c289bf-e981-4bcd-87dd-b6c0680557e9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Changes were made in Android 7 to help prevent use of this technique.(Citation: GoogleIO2016)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "GoogleIO2016",
"description": "Adrian Ludwig. (2016, May 19). What's new in Android security (M and N Version). Retrieved December 9, 2016.",
"url": "https://www.youtube.com/watch?v=XZzLjllizYs"
}
],
"type": "relationship",
"modified": "2019-02-03T16:56:41.449Z",
"created": "2017-10-25T14:48:53.745Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483"
},
{
"id": "relationship--b7282bf9-63f8-49ad-8ee0-f2ad523a367e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[DualToy](https://attack.mitre.org/software/S0315) side loads malicious or risky apps to both Android and iOS devices via a USB connection.(Citation: PaloAlto-DualToy)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "PaloAlto-DualToy",
"description": "Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878",
"relationship_type": "uses",
"target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d"
},
{
"id": "relationship--f6098dca-3a9e-4991-8d51-1310b12161b6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) uses SMS for command and control.(Citation: Lookout-PegasusAndroid)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"type": "relationship",
"modified": "2019-08-09T17:52:31.852Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--63e67cba-4eae-4495-8897-2610103a0c41",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) exploits iOS vulnerabilities to escalate privileges.(Citation: Lookout-Pegasus)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172"
},
{
"id": "relationship--e0ebf0cd-9244-4cef-9171-128a12b87b58",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can read SMS messages.(Citation: Zscaler-SpyNote)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Zscaler-SpyNote",
"description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.",
"url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
}
],
"source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"type": "relationship",
"modified": "2019-10-10T15:24:09.351Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--4d7e937d-7ea1-49cb-939c-5244815e51d7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RuMMS](https://attack.mitre.org/software/S0313) uses HTTP for command and control.(Citation: FireEye-RuMMS)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "FireEye-RuMMS",
"description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
"relationship_type": "uses",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673"
},
{
"id": "relationship--6bb99599-aa51-4492-9c79-296a772233b4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"type": "relationship",
"modified": "2019-07-03T20:25:14.045Z",
"created": "2017-10-25T14:48:53.740Z"
},
{
"id": "relationship--706c698c-aa8d-4fac-a6c1-2e047c3f965c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Original samples of [BrainTest](https://attack.mitre.org/software/S0293) download their exploit packs for rooting from a remote server after installation.(Citation: Lookout-BrainTest)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-BrainTest",
"description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
"relationship_type": "uses",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6"
},
{
"id": "relationship--e2ee6825-43c2-441f-ba96-404a330a9059",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Charger](https://attack.mitre.org/software/S0323) steals contacts from the victim user's device.(Citation: CheckPoint-Charger)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "CheckPoint-Charger",
"description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.",
"url": "http://blog.checkpoint.com/2017/01/24/charger-malware/"
}
],
"source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950",
"relationship_type": "uses",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"type": "relationship",
"modified": "2019-10-09T14:51:42.856Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--4454a696-7619-40ee-971b-cbf646e4ee61",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[PJApps](https://attack.mitre.org/software/S0291) has the capability to send messages to premium SMS messages.(Citation: Lookout-EnterpriseApps)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137",
"relationship_type": "uses",
"target_ref": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274"
},
{
"id": "relationship--8d027310-93a0-4046-b7ad-d1f461f30838",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RCSAndroid](https://attack.mitre.org/software/S0295) has the ability to dynamically download and execute new code at runtime.(Citation: TrendMicro-RCSAndroid)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/",
"description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
"source_name": "TrendMicro-RCSAndroid"
}
],
"source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"relationship_type": "uses",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"type": "relationship",
"modified": "2019-08-09T17:53:48.783Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--bb3be217-08e2-4bb0-9f1a-d8e538010451",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RuMMS](https://attack.mitre.org/software/S0313) gathers device model and operating system version information and transmits it to a command and control server.(Citation: FireEye-RuMMS)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "FireEye-RuMMS",
"description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
"relationship_type": "uses",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77"
},
{
"id": "relationship--b3bb33bf-9034-4d5c-8ea0-31d3bbd12b6b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[WireLurker](https://attack.mitre.org/software/S0312) obfuscates its payload through complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing.(Citation: PaloAlto-WireLurker)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "PaloAlto-WireLurker",
"description": "Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb",
"relationship_type": "uses",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a"
},
{
"id": "relationship--dc6eb5d7-acef-4eb4-bece-4e8c90c914dc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Use of end-to-end encryption of voice calls and text messages \"provides another layer in the defense against potential information compromise by SS7 enabled eavesdropping.\"(Citation: CSRIC5-WG10-FinalReport)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "CSRIC5-WG10-FinalReport",
"description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.",
"url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
}
],
"type": "relationship",
"modified": "2019-02-03T16:28:53.074Z",
"created": "2017-10-25T14:48:53.733Z",
"source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d"
},
{
"id": "relationship--6f8b3839-ea91-44d5-ba68-b9d1e6076c19",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:53.735Z",
"source_ref": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5"
},
{
"id": "relationship--3f3d63f0-1f03-4931-9624-10eaf4b207b4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:53.733Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57"
},
{
"id": "relationship--2555c438-cd9f-49ed-93f6-a935a9861c54",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Marcher](https://attack.mitre.org/software/S0317) is delivered via a link sent by SMS or email, including instructions advising the user to modify their Android device security settings to enable apps to be installed from \"Unknown Sources.\"(Citation: Proofpoint-Marcher)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Proofpoint-Marcher",
"description": "Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018.",
"url": "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--f9854ba6-989d-43bf-828b-7240b8a65291",
"relationship_type": "uses",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7"
},
{
"id": "relationship--e75c623a-f9ac-4f46-b093-dd0e40b50cc6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Marcher](https://attack.mitre.org/software/S0317) attempts to overlay itself on top of legitimate banking apps in an effort to capture user credentials. [Marcher](https://attack.mitre.org/software/S0317) also attempts to overlay itself on top of legitimate apps such as the Google Play Store in an effort to capture user credit card information.(Citation: Proofpoint-Marcher)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Proofpoint-Marcher",
"description": "Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018.",
"url": "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--f9854ba6-989d-43bf-828b-7240b8a65291",
"relationship_type": "uses",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2"
},
{
"id": "relationship--c83c84e8-a556-4efe-ae24-75970ee8ad4b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) used SMS to receive command and control messages.(Citation: Kaspersky-WUC)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"
}
],
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"relationship_type": "uses",
"target_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"type": "relationship",
"modified": "2019-10-15T19:54:10.247Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--638f3d4b-f1d4-4c61-91a0-7c125ef8437a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) was distributed through a web site by exploiting vulnerabilities in the Safari web browser on iOS devices.(Citation: Lookout-Pegasus)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57"
},
{
"id": "relationship--c374c9ce-ff30-4daa-bdec-8015a507746a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Skygofree](https://attack.mitre.org/software/S0327) has a capability to obtain files from other installed applications.(Citation: Kaspersky-Skygofree)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/",
"description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.",
"source_name": "Kaspersky-Skygofree"
}
],
"source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
"relationship_type": "uses",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"type": "relationship",
"modified": "2019-08-09T18:08:07.145Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--bc4e848a-adb7-40a2-94a1-d5ab9854ff0f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can copy files from the device to the C2 server.(Citation: Zscaler-SpyNote)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Zscaler-SpyNote",
"description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.",
"url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
}
],
"source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"relationship_type": "uses",
"target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"type": "relationship",
"modified": "2019-10-10T15:24:09.378Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--cc49561f-8364-4908-9111-ad3a6dcd922c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad"
},
{
"id": "relationship--4f366c8c-9c70-44ed-baa8-d433d5dbfe49",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses call logs.(Citation: Lookout-PegasusAndroid)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"type": "relationship",
"modified": "2019-08-09T17:52:31.853Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--f5fab17b-43e7-46ff-bdea-eb8c52a0c6c3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses the list of installed applications.(Citation: Lookout-PegasusAndroid)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"type": "relationship",
"modified": "2019-08-09T17:52:31.854Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--6086e1e2-1b39-4ff2-910e-4a4eb86d57b7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[BrainTest](https://attack.mitre.org/software/S0293) provided capabilities that allowed developers to use compromised devices to post positive reviews on their own malicious applications as well as download other malicious applications they had submitted to the Play Store.(Citation: Lookout-BrainTest)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-BrainTest",
"description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
"relationship_type": "uses",
"target_ref": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69"
},
{
"id": "relationship--14143e21-51bf-4fa7-a949-d22a8271f590",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can record audio using the device microphone.(Citation: TrendMicro-RCSAndroid)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/",
"description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
"source_name": "TrendMicro-RCSAndroid"
}
],
"source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"type": "relationship",
"modified": "2019-08-09T17:53:48.780Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--bd351b17-e995-4528-bbea-e1138c51476a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) exfiltrates data from over 40 apps such as WeChat, Facebook, WhatsApp, Skype, and others.(Citation: PaloAlto-SpyDealer)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"source_name": "PaloAlto-SpyDealer"
}
],
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"type": "relationship",
"modified": "2019-08-09T17:56:05.683Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--2a287c91-2792-407f-a9ee-8153a802b7c6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[ZergHelper](https://attack.mitre.org/software/S0287) abuses enterprises certificate and personal certificates to sign and distribute apps.(Citation: Xiao-ZergHelper)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Xiao-ZergHelper",
"description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0",
"relationship_type": "uses",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7"
},
{
"id": "relationship--c3c2bf20-fa33-4af4-92ec-d60679e1d4ee",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7"
},
{
"id": "relationship--7e00d3ac-a97a-4db0-9699-7474d81413a8",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a"
},
{
"id": "relationship--290a627d-172d-494d-a0cc-685f480a1034",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[AndroRAT](https://attack.mitre.org/software/S0292) collects call logs.(Citation: Lookout-EnterpriseApps)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
"relationship_type": "uses",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44"
},
{
"id": "relationship--910009da-65c0-4e6a-aeb2-386c643d1c0e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[DroidJack](https://attack.mitre.org/software/S0320) captures SMS data.(Citation: Zscaler-SuperMarioRun)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://www.zscaler.com/blogs/research/super-mario-run-malware-2-\u2013-droidjack-rat",
"description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.",
"source_name": "Zscaler-SuperMarioRun"
}
],
"source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"type": "relationship",
"modified": "2019-08-09T18:02:06.731Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--13efc415-5e17-4a16-81c2-64e74815907f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[XcodeGhost](https://attack.mitre.org/software/S0297) can prompt a fake alert dialog to phish user credentials.(Citation: PaloAlto-XcodeGhost)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "PaloAlto-XcodeGhost",
"description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9",
"relationship_type": "uses",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2"
},
{
"id": "relationship--f6770c26-ae93-468d-acaa-ab4ffea0e047",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) can record phone calls and surrounding audio.(Citation: PaloAlto-SpyDealer)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"source_name": "PaloAlto-SpyDealer"
}
],
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"type": "relationship",
"modified": "2019-08-09T17:56:05.682Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--93103ac2-0e3b-4f0f-a054-7f9b947b3172",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) attempts to detect whether it is running in an emulator rather than a real device.(Citation: Lookout-PegasusAndroid)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"type": "relationship",
"modified": "2019-08-09T17:52:31.851Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--70f8cbed-b20d-4ff2-ad02-8d78e7d49159",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Xbot](https://attack.mitre.org/software/S0298) can encrypt the victim's files in external storage (e.g., SD card) and then request a PayPal cash card as ransom.(Citation: PaloAlto-Xbot)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "PaloAlto-Xbot",
"description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4",
"relationship_type": "uses",
"target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4"
},
{
"id": "relationship--433ba5b0-76eb-49e1-a2ed-e54994e94041",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather cellular IDs.(Citation: Lookout-StealthMango)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a",
"relationship_type": "uses",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"type": "relationship",
"modified": "2019-10-10T15:27:22.174Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--ce6c7f21-91a5-4d63-bd03-a6b57e025afe",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:53.746Z",
"source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5"
},
{
"id": "relationship--465ff71b-2b1b-43b6-ab78-afb273d956d2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
"description": "There are very limited circumstances under which device administrator access should be granted.",
"type": "relationship",
"modified": "2020-09-11T14:08:08.693Z",
"created": "2017-10-25T14:48:53.746Z"
},
{
"id": "relationship--fa1da6db-da32-45d2-98a8-6bbe153166da",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[AndroRAT](https://attack.mitre.org/software/S0292) tracks the device location.(Citation: Lookout-EnterpriseApps)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4"
},
{
"id": "relationship--3498d304-48e3-4fe4-a3ab-fc261104f413",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) can record audio using the device microphone.(Citation: Lookout-StealthMango)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"source_name": "Lookout-StealthMango"
}
],
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"type": "relationship",
"modified": "2019-08-09T17:59:49.094Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--05563777-5771-4bd6-a1af-3e244cf42372",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Most [KeyRaider](https://attack.mitre.org/software/S0288) samples search to find the Apple account's username, password and device's GUID in data being transferred.(Citation: Xiao-KeyRaider)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Xiao-KeyRaider",
"description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50",
"relationship_type": "uses",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77"
},
{
"id": "relationship--f62e0aaf-e52f-40b9-a059-001f298a0660",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Skygofree](https://attack.mitre.org/software/S0327) can be controlled via HTTP, XMPP, FirebaseCloudMessaging, or GoogleCloudMessaging in older versions.(Citation: Kaspersky-Skygofree)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/",
"description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.",
"source_name": "Kaspersky-Skygofree"
}
],
"source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
"relationship_type": "uses",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"type": "relationship",
"modified": "2019-08-09T18:08:07.174Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--5a7295a2-ad95-4362-8b2c-9265ad5c73b0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uses commands received from text messages for C2.(Citation: Lookout-StealthMango)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"source_name": "Lookout-StealthMango"
}
],
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"relationship_type": "uses",
"target_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"type": "relationship",
"modified": "2019-08-09T17:59:49.111Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--69bb264a-3f44-4132-9248-dd80a9f5efa2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Charger](https://attack.mitre.org/software/S0323) locks the device if it is granted admin permissions, displaying a message demanding a ransom payment.(Citation: CheckPoint-Charger)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "CheckPoint-Charger",
"description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.",
"url": "http://blog.checkpoint.com/2017/01/24/charger-malware/"
}
],
"source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950",
"relationship_type": "uses",
"target_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"type": "relationship",
"modified": "2019-10-09T14:51:42.854Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--5a6df1dd-9aa4-4f67-9195-8c3a9f5c0f7a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[MazarBOT](https://attack.mitre.org/software/S0303) can send messages to premium-rate numbers.(Citation: Tripwire-MazarBOT)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Tripwire-MazarBOT",
"description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.",
"url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9",
"relationship_type": "uses",
"target_ref": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274"
},
{
"id": "relationship--a290a8ca-e650-456c-b33e-03343fe5ea4e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) accesses sensitive data in files, such as saving Skype calls by reading them out of the Skype database files.(Citation: Lookout-Pegasus)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160"
},
{
"id": "relationship--f552ee2f-5e6a-47a1-b6a5-d5e5594feb0d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads information about installed packages.(Citation: Lookout-StealthMango)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"source_name": "Lookout-StealthMango"
}
],
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"relationship_type": "uses",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"type": "relationship",
"modified": "2019-08-09T17:59:49.112Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--9e3921a8-a9e1-48c4-9b61-ff190c104f63",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can monitor clipboard content.(Citation: TrendMicro-RCSAndroid)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/",
"description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
"source_name": "TrendMicro-RCSAndroid"
}
],
"source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"relationship_type": "uses",
"target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
"type": "relationship",
"modified": "2019-08-09T17:53:48.793Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--5012c647-9b58-4a4f-b64f-468c9b76a60c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can view contacts.(Citation: Zscaler-SpyNote)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Zscaler-SpyNote",
"description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.",
"url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
}
],
"source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"relationship_type": "uses",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"type": "relationship",
"modified": "2019-10-10T15:24:09.393Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--26a9db86-5ecf-400a-bdd9-419448c2f776",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2019-02-03T16:28:53.048Z",
"created": "2017-10-25T14:48:53.733Z",
"source_ref": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d"
},
{
"id": "relationship--2bedbf86-2ef0-45bf-950d-b9d072c03bdc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole call logs.(Citation: Kaspersky-WUC)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"
}
],
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"relationship_type": "uses",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"type": "relationship",
"modified": "2019-10-15T19:54:10.249Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--9c7c302a-d5ba-4fc9-a4e5-e865fd7fb708",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole geo-location data.(Citation: Kaspersky-WUC)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"
}
],
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"type": "relationship",
"modified": "2019-10-15T19:54:10.284Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--9d621873-6d3c-4660-be9a-57e2e8648236",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Marcher](https://attack.mitre.org/software/S0317) requests Android Device Administrator access.(Citation: Proofpoint-Marcher)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Proofpoint-Marcher",
"description": "Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018.",
"url": "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--f9854ba6-989d-43bf-828b-7240b8a65291",
"relationship_type": "uses",
"target_ref": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483"
},
{
"id": "relationship--69718f1d-7761-41ae-b9d0-12c45f6b4ac4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) modifies the system partition to maintain persistence.(Citation: Lookout-Pegasus)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0"
},
{
"id": "relationship--06348e22-9a06-4e4c-a57c-e438462e7fce",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Skygofree](https://attack.mitre.org/software/S0327) can record audio via the microphone when an infected device is in a specified location.(Citation: Kaspersky-Skygofree)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/",
"description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.",
"source_name": "Kaspersky-Skygofree"
}
],
"source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"type": "relationship",
"modified": "2019-08-09T18:08:07.173Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--eb27258f-6bb9-49b5-928e-b66f37f8f16e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[XLoader for Android](https://attack.mitre.org/software/S0318) requests Android Device Administrator access.(Citation: TrendMicro-XLoader)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "TrendMicro-XLoader",
"description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/"
}
],
"source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
"relationship_type": "uses",
"target_ref": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483",
"type": "relationship",
"modified": "2020-07-20T13:49:03.712Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--a3f36e9e-e2f4-4745-a9a3-0d1231db116d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Skygofree](https://attack.mitre.org/software/S0327) can download executable code from the C2 server after the implant starts or after a specific command.(Citation: Kaspersky-Skygofree)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/",
"description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.",
"source_name": "Kaspersky-Skygofree"
}
],
"source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
"relationship_type": "uses",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"type": "relationship",
"modified": "2019-08-09T18:08:07.183Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--08e7c0ad-f2d7-472c-97de-3627ca5d2991",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:53.745Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172"
},
{
"id": "relationship--37c4a0cf-0552-46fd-b067-419b15833044",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2019-02-03T17:08:07.545Z",
"created": "2017-10-25T14:48:53.743Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd"
},
{
"id": "relationship--42ae42eb-ea75-457a-bf39-4ea04304dd0b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Gooligan](https://attack.mitre.org/software/S0290) can install adware to generate revenue.(Citation: Gooligan Citation)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Gooligan Citation",
"description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.",
"url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/"
}
],
"source_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de",
"relationship_type": "uses",
"target_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
"type": "relationship",
"modified": "2019-10-10T15:18:51.147Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--d87b468e-f610-4e95-8dfb-8cf029f0e891",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[HummingBad](https://attack.mitre.org/software/S0322) can exploit unfixed vulnerabilities in older Android versions to root victim phones.(Citation: ArsTechnica-HummingBad)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "ArsTechnica-HummingBad",
"description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.",
"url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--c8770c81-c29f-40d2-a140-38544206b2b4",
"relationship_type": "uses",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172"
},
{
"id": "relationship--51186ad6-e721-49cf-9cf7-89466d5f29f4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:53.742Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884"
},
{
"id": "relationship--3230c032-17e0-49f7-b948-c157049aafe2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:53.742Z",
"source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d"
},
{
"id": "relationship--ebdb9385-6311-4532-b021-2da48734aab7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6",
"external_references": [
{
"source_name": "Android 10 DEX",
"url": "https://developer.android.com/topic/security/dex.md",
"description": "Android Developers. (n.d.). Run embedded DEX code directly from APK. Retrieved September 20, 2019."
}
],
"description": "For applications running on Android 10 and higher devices, application developers can indicate that DEX code should always be executed directly from the application package.(Citation: Android 10 DEX)",
"type": "relationship",
"modified": "2019-10-09T19:39:33.177Z",
"created": "2017-10-25T14:48:53.744Z"
},
{
"id": "relationship--3ae62d66-6405-413f-86e3-ccdb66fac7ba",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a"
},
{
"id": "relationship--4fc45b06-287d-4151-9f5a-37bb34dcdeec",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[MazarBOT](https://attack.mitre.org/software/S0303) is delivered via an unsolicited text message containing a link to a web download URI.(Citation: Tripwire-MazarBOT)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Tripwire-MazarBOT",
"description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.",
"url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9",
"relationship_type": "uses",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7"
},
{
"id": "relationship--b67f04d9-1cbd-49b4-9ec3-a33a41ac42ab",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[OBAD](https://attack.mitre.org/software/S0286) contains encrypted code along with an obfuscated decryption routine to make it difficult to analyze.(Citation: TrendMicro-Obad)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "TrendMicro-Obad",
"description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde",
"relationship_type": "uses",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a"
},
{
"id": "relationship--73d78f2c-dd3b-469c-a622-e2e89cb521d3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Enterprises can provision policies to mobile devices to require a minimum complexity (length, etc.) for the device passcode. Enterprises can provision policies to mobile devices to cause the device to wipe all data if an incorrect passcode is entered too many times. Both policies would mitigate brute-force, guessing, or shoulder surfing of the device passcode. If desired, enterprises can provision policies to mobile devices to disallow biometric authentication. However, biometric authentication can help make \"using a longer, more complex passcode far more practical because you don't need to enter it as frequently.\"(Citation: Apple-iOSSecurityGuide)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Apple-iOSSecurityGuide",
"description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016.",
"url": "https://www.apple.com/business/docs/iOS_Security_Guide.pdf"
}
],
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
"type": "relationship",
"modified": "2020-06-24T15:08:18.503Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--ac53e382-a140-4bbf-a59d-db3fe21acfaa",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57"
},
{
"id": "relationship--50c81a85-8c70-48df-a338-8622d2debc74",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather call logs.(Citation: Lookout-StealthMango)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a",
"relationship_type": "uses",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"type": "relationship",
"modified": "2019-10-10T15:27:22.177Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--3644d1dd-8d9f-4a89-a618-c6b22c2a1a96",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RedDrop](https://attack.mitre.org/software/S0326) uses standard HTTP for communication and exfiltration.(Citation: Wandera-RedDrop)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://www.wandera.com/reddrop-malware/",
"description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.",
"source_name": "Wandera-RedDrop"
}
],
"source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
"relationship_type": "uses",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"type": "relationship",
"modified": "2019-10-15T19:27:28.029Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--3f973c3c-45f8-432a-9859-e8749f2e7418",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses sensitive data in files, such as messages stored by the WhatsApp, Facebook, and Twitter applications. It also has the ability to access arbitrary filenames and retrieve directory listings.(Citation: Lookout-PegasusAndroid)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"type": "relationship",
"modified": "2019-08-09T17:52:31.848Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--be136fd1-6949-4de6-be37-6d76f8def41a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests location data from victims.(Citation: PaloAlto-SpyDealer)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"source_name": "PaloAlto-SpyDealer"
}
],
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"type": "relationship",
"modified": "2019-10-15T19:37:21.366Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--834c9a7e-6520-486d-ba60-c3a8b2f9eb1a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[XLoader for Android](https://attack.mitre.org/software/S0318) collects SMS messages.(Citation: TrendMicro-XLoader)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "TrendMicro-XLoader",
"description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/"
}
],
"source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"type": "relationship",
"modified": "2020-07-20T13:49:03.690Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--3c2d7ccc-5980-4012-8aab-64979bcd0ea6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2019-02-03T16:56:41.438Z",
"created": "2017-10-25T14:48:53.745Z",
"source_ref": "course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483"
},
{
"id": "relationship--ef977f9e-c505-449f-883a-915c1de1015f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "On iOS, the `allowEnterpriseAppTrust` and `allowEnterpriseAppTrustModification` configuration profile restrictions can be used to prevent users from installing apps signed using enterprise distribution keys.",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"type": "relationship",
"modified": "2020-06-24T15:08:18.501Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--01965668-d033-4aca-a8e5-71a07070e266",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd"
},
{
"id": "relationship--79f04c05-8299-4e5e-b4c1-3f82637fa47a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad"
},
{
"id": "relationship--c53170a0-ca7f-4827-9c3c-1803ecd131f9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a"
},
{
"id": "relationship--68e5789c-9f60-421e-9c79-fae207a29e83",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole SMS message content.(Citation: Kaspersky-WUC)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"
}
],
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"type": "relationship",
"modified": "2019-10-15T19:54:10.283Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--f947d845-4d70-41f3-ae3c-18ea8b44e667",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[HummingBad](https://attack.mitre.org/software/S0322) can create fraudulent statistics inside the official Google Play Store.(Citation: ArsTechnica-HummingBad)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "ArsTechnica-HummingBad",
"description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.",
"url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--c8770c81-c29f-40d2-a140-38544206b2b4",
"relationship_type": "uses",
"target_ref": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69"
},
{
"id": "relationship--450a1b75-efa5-4d7a-bcd5-d3e63723b408",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) monitors the connection state and tracks which types of networks the phone is connected to, potentially to determine the bandwidth and ability to send full data across the network.(Citation: Lookout-Pegasus)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd"
},
{
"id": "relationship--b7652f27-1cf6-4310-bf6b-5fb99c4fd725",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) has the ability to record audio.(Citation: Lookout-Pegasus)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760"
},
{
"id": "relationship--b263e4e9-972d-4ba7-8be8-e55eb6a483c0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[HummingWhale](https://attack.mitre.org/software/S0321) generates revenue by displaying fraudulent ads and automatically installing apps. When victims try to close the ads, [HummingWhale](https://attack.mitre.org/software/S0321) runs in a virtual machine, creating a fake ID that allows the perpetrators to generate revenue.(Citation: ArsTechnica-HummingWhale)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "ArsTechnica-HummingWhale",
"description": "Dan Goodin. (2017, January 23). Virulent Android malware returns, gets >2 million downloads on Google Play. Retrieved January 24, 2017.",
"url": "http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f",
"relationship_type": "uses",
"target_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf"
},
{
"id": "relationship--55f12292-dc9d-4bfd-9de9-2d07cd67b044",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Android 7.0 and higher includes additional protections against this technique.",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
"type": "relationship",
"modified": "2019-07-29T13:57:09.300Z",
"created": "2017-10-25T14:48:53.734Z"
},
{
"id": "relationship--a7336f2c-8f89-4d54-ac2b-77743afb2943",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) collects and uploads information about changes in SIM card or phone numbers on the device.(Citation: Lookout-StealthMango)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"source_name": "Lookout-StealthMango"
}
],
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"relationship_type": "uses",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"type": "relationship",
"modified": "2019-10-15T19:44:36.177Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--2cdd5474-620c-499e-8b9c-835505febc2c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) uses Google Cloud Messaging (GCM) for command and control.(Citation: Kaspersky-MobileMalware)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Kaspersky-MobileMalware",
"description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.",
"url": "https://securelist.com/mobile-malware-evolution-2013/58335/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--d89c132d-7752-4c7f-9372-954a71522985",
"relationship_type": "uses",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673"
},
{
"id": "relationship--83991b5c-59b9-4fe5-9ef2-39c6ddc8b835",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) gathered system information including phone number, OS version, phone model, and SDK version.(Citation: Kaspersky-WUC)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"
}
],
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"relationship_type": "uses",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"type": "relationship",
"modified": "2019-10-15T19:54:10.285Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--abd2e863-4bd3-4686-b2aa-f8a097a41c99",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Newer OS versions generally will include security patches against discovered vulnerabilities that become known to the vendor. Additionally, iOS 11.4.1 and higher introduce USB Restricted Mode, which under certain conditions disables data access through the device's charging port (making the port only usable for power), likely preventing this technique from working.(Citation: Elcomsoft-iOSRestricted)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Elcomsoft-iOSRestricted",
"description": "Oleg Afonin. (2018, September 20). iOS 12 Enhances USB Restricted Mode. Retrieved September 21, 2018.",
"url": "https://blog.elcomsoft.com/2018/09/ios-12-enhances-usb-restricted-mode/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:53.742Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d"
},
{
"id": "relationship--aaf55dd1-33df-4f02-8025-eaae01f30b33",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[AndroRAT](https://attack.mitre.org/software/S0292) collects contact list information.(Citation: Lookout-EnterpriseApps)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
"relationship_type": "uses",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce"
},
{
"id": "relationship--7fcfc36b-bebc-481f-b9af-b65008b045ec",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Adups](https://attack.mitre.org/software/S0309) was pre-installed on Android devices from some vendors.(Citation: NYTimes-BackDoor)(Citation: BankInfoSecurity-BackDoor)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "NYTimes-BackDoor",
"description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.",
"url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"
},
{
"source_name": "BankInfoSecurity-BackDoor",
"description": "Jeremy Kirk. (2016, November 16). Why Did Chinese Spyware Linger in U.S. Phones?. Retrieved February 6, 2017.",
"url": "http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
"relationship_type": "uses",
"target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad"
},
{
"id": "relationship--81db3270-4cb8-4982-8ff8-c28a874e8421",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[DressCode](https://attack.mitre.org/software/S0300) sets up a \"general purpose tunnel\" that can be used by an adversary to compromise enterprise networks that the mobile device is connected to.(Citation: TrendMicro-DressCode)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "TrendMicro-DressCode",
"description": "Echo Duan. (2016, September 29). DressCode and its Potential Impact for Enterprises. Retrieved December 22, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca",
"relationship_type": "uses",
"target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d"
},
{
"id": "relationship--51757971-17ac-40c3-bae7-78365579db49",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[OBAD](https://attack.mitre.org/software/S0286) abuses device administrator access to make it more difficult for users to remove the application.(Citation: TrendMicro-Obad)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "TrendMicro-Obad",
"description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde",
"relationship_type": "uses",
"target_ref": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483"
},
{
"id": "relationship--a3ba222d-8dcd-4222-b1d0-169eff16922f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RedDrop](https://attack.mitre.org/software/S0326) uses ads or other links within websites to encourage users to download the malicious apps using a complex content distribution network (CDN) and series of network redirects. [RedDrop](https://attack.mitre.org/software/S0326) also downloads additional components (APKs, JAR files) from different C2 servers.(Citation: Wandera-RedDrop)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://www.wandera.com/reddrop-malware/",
"description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.",
"source_name": "Wandera-RedDrop"
}
],
"source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
"relationship_type": "uses",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"type": "relationship",
"modified": "2019-10-15T19:21:56.823Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--92129d5b-7822-4e84-8a69-f96b598fba9e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Tangelo](https://attack.mitre.org/software/S0329) accesses databases from WhatsApp, Viber, Skype, and Line.(Citation: Lookout-StealthMango)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a",
"relationship_type": "uses",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"type": "relationship",
"modified": "2019-10-10T15:27:22.175Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--ffddcabb-0f03-46ae-abd6-7ab94e91b055",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RedDrop](https://attack.mitre.org/software/S0326) captures live recordings of the device's surroundings.(Citation: Wandera-RedDrop)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://www.wandera.com/reddrop-malware/",
"description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.",
"source_name": "Wandera-RedDrop"
}
],
"source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"type": "relationship",
"modified": "2019-09-10T13:14:39.009Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--93c20f43-6684-471c-910f-d9577f289677",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "In at least one case, [Stealth Mango](https://attack.mitre.org/software/S0328) may have been installed using physical access to the device by a repair shop.(Citation: Lookout-StealthMango)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"source_name": "Lookout-StealthMango"
}
],
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"relationship_type": "uses",
"target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
"type": "relationship",
"modified": "2019-10-15T19:44:36.188Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--09fa9342-34cb-4f0d-8cdf-df4d51d0ae12",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:53.737Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--a0464539-e1b7-4455-a355-12495987c300"
},
{
"id": "relationship--69de3f7e-faa7-4342-b755-4777a68fd89b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[DroidJack](https://attack.mitre.org/software/S0320) is capable of recording device phone calls.(Citation: Zscaler-SuperMarioRun)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://www.zscaler.com/blogs/research/super-mario-run-malware-2-\u2013-droidjack-rat",
"description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.",
"source_name": "Zscaler-SuperMarioRun"
}
],
"source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"type": "relationship",
"modified": "2019-08-09T18:02:06.740Z",
"created": "2017-12-14T16:46:06.044Z"
},
{
"id": "relationship--71490fdb-e271-4a67-b932-5288924b1dae",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[DualToy](https://attack.mitre.org/software/S0315) collects the connected iOS device\u2019s information including IMEI, IMSI, ICCID, serial number and phone number.(Citation: PaloAlto-DualToy)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "PaloAlto-DualToy",
"description": "Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878",
"relationship_type": "uses",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd"
},
{
"id": "relationship--ffc24804-42db-4be1-a418-7f5ab9de453c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[NotCompatible](https://attack.mitre.org/software/S0299) has the capability to exploit systems on an enterprise network.(Citation: Lookout-NotCompatible)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-NotCompatible",
"description": "Tim Strazzere. (2014, November 19). The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks. Retrieved December 22, 2016.",
"url": "https://blog.lookout.com/blog/2014/11/19/notcompatible/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe",
"relationship_type": "uses",
"target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d"
},
{
"id": "relationship--7af7d094-3a49-4e5e-99d0-385c79f95f06",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) monitors the victim for status and disables other access to the phone by other jailbreaking software.(Citation: Lookout-Pegasus)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-12-14T16:46:06.044Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77"
},
{
"id": "relationship--7017085c-c612-48b2-b655-e18d7822d0e7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests phone call history from victims.(Citation: PaloAlto-SpyDealer)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"source_name": "PaloAlto-SpyDealer"
}
],
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"type": "relationship",
"modified": "2019-10-15T19:37:21.362Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "relationship--9ea81224-70ef-46c2-89d4-2261c11789b4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[YiSpecter](https://attack.mitre.org/software/S0311)'s malicious apps were signed with iOS enterprise certificates issued by Apple to allow the apps to be installed as enterprise apps on non-jailbroken iOS devices.(Citation: PaloAlto-YiSpecter)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "PaloAlto-YiSpecter",
"description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved January 20, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"
}
],
"type": "relationship",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9",
"relationship_type": "uses",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7"
},
{
"id": "relationship--935fd3e3-dd47-4c43-bdd8-1668af26395f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) enables remote control of the victim through SMS channels.(Citation: PaloAlto-SpyDealer)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"source_name": "PaloAlto-SpyDealer"
}
],
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"type": "relationship",
"modified": "2019-08-09T17:56:05.714Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"external_references": [
{
"description": "Karl Dominguez. (2011, September 27). ANDROIDOS_ANSERVER.A. Retrieved November 30, 2018.",
"url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROIDOS_ANSERVER.A",
"source_name": "TrendMicro-Anserver2"
}
],
"description": "\n[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) gathers the device IMEI and IMSI.(Citation: TrendMicro-Anserver2)",
"relationship_type": "uses",
"id": "relationship--919a13bc-74be-4660-af63-454abee92635",
"type": "relationship",
"modified": "2019-08-05T20:05:25.571Z",
"created": "2019-03-11T15:13:40.408Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"external_references": [
{
"description": "Karl Dominguez. (2011, September 27). ANDROIDOS_ANSERVER.A. Retrieved November 30, 2018.",
"url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROIDOS_ANSERVER.A",
"source_name": "TrendMicro-Anserver2"
}
],
"description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) gathers the device OS version, device build version, manufacturer, and model.(Citation: TrendMicro-Anserver2)",
"relationship_type": "uses",
"id": "relationship--a82d3cfb-7ef2-4e39-a6e1-3097d7b106f7",
"type": "relationship",
"modified": "2019-10-15T19:55:04.517Z",
"created": "2019-03-11T15:13:40.425Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8",
"target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380",
"external_references": [
{
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/",
"description": "Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017.",
"source_name": "TrendMicro-Anserver"
}
],
"description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) uses encrypted content within a blog site for part of its command and control. Specifically, the encrypted content contains URLs for other servers to be used for other aspects of command and control.(Citation: TrendMicro-Anserver)",
"relationship_type": "uses",
"id": "relationship--352fabc8-48fe-4190-92b3-49b00348bb22",
"type": "relationship",
"modified": "2019-08-05T20:05:25.585Z",
"created": "2019-03-11T15:13:40.454Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"description": "[FinFisher](https://attack.mitre.org/software/S0182) captures and exfiltrates SMS messages.(Citation: Lookout Dark Caracal Jan 2018)",
"relationship_type": "uses",
"id": "relationship--dc6514a0-2e9c-4f29-8c15-99e6d382e357",
"type": "relationship",
"modified": "2019-08-12T17:30:07.501Z",
"created": "2019-07-10T15:25:57.572Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"description": "[FinFisher](https://attack.mitre.org/software/S0182) accesses and exfiltrates the call log.(Citation: Lookout Dark Caracal Jan 2018)",
"relationship_type": "uses",
"id": "relationship--6f63395f-a826-45e2-8d3b-dccd6375f54d",
"type": "relationship",
"modified": "2019-08-12T17:30:07.570Z",
"created": "2019-07-10T15:25:57.585Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"description": "[FinFisher](https://attack.mitre.org/software/S0182) uses the device microphone to record phone conversations.(Citation: Lookout Dark Caracal Jan 2018)",
"relationship_type": "uses",
"id": "relationship--7a50961b-9be4-4042-a6a0-878b612c520e",
"type": "relationship",
"modified": "2019-08-12T17:30:07.571Z",
"created": "2019-07-10T15:25:57.602Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"description": "[FinFisher](https://attack.mitre.org/software/S0182) tracks the latitude and longitude coordinates of the infected device.(Citation: Lookout Dark Caracal Jan 2018)",
"relationship_type": "uses",
"id": "relationship--b53d1c92-b71f-434e-aa4f-08b8db765248",
"type": "relationship",
"modified": "2019-08-12T17:30:07.572Z",
"created": "2019-07-10T15:25:57.604Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858",
"target_ref": "attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"description": "[FinFisher](https://attack.mitre.org/software/S0182) exfiltrates data over commonly used ports, such as ports 21, 53, and 443.(Citation: Lookout Dark Caracal Jan 2018)",
"relationship_type": "uses",
"id": "relationship--29c45d94-f985-4128-b845-bf1159d606cb",
"type": "relationship",
"modified": "2019-08-12T17:30:07.573Z",
"created": "2019-07-10T15:25:57.607Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"description": "[FinFisher](https://attack.mitre.org/software/S0182) comes packaged with ExynosAbuse, an Android exploit that can gain root privileges.(Citation: Lookout Dark Caracal Jan 2018)",
"relationship_type": "uses",
"id": "relationship--be39c012-7201-4757-8cd6-c855bc945a9e",
"type": "relationship",
"modified": "2019-08-12T17:30:07.568Z",
"created": "2019-07-10T15:25:57.623Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"source_name": "Lookout Dark Caracal Jan 2018"
}
],
"description": "[Pallas](https://attack.mitre.org/software/S0399) retrieves a list of all applications installed on the device.(Citation: Lookout Dark Caracal Jan 2018)",
"relationship_type": "uses",
"id": "relationship--2341fdfa-9699-4798-a35a-2cc4f150cd14",
"type": "relationship",
"modified": "2019-08-09T18:06:11.693Z",
"created": "2019-07-10T15:35:43.610Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"source_name": "Lookout Dark Caracal Jan 2018"
}
],
"description": "[Pallas](https://attack.mitre.org/software/S0399) queries the device for metadata, such as device ID, OS version, and the number of cameras.(Citation: Lookout Dark Caracal Jan 2018)",
"relationship_type": "uses",
"id": "relationship--9366529d-fba9-4ef6-b4ee-b6b41aa3b18c",
"type": "relationship",
"modified": "2019-08-09T18:06:11.741Z",
"created": "2019-07-10T15:35:43.631Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"target_ref": "attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2",
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"source_name": "Lookout Dark Caracal Jan 2018"
}
],
"description": "[Pallas](https://attack.mitre.org/software/S0399) gathers and exfiltrates data about nearby Wi-Fi access points.(Citation: Lookout Dark Caracal Jan 2018)",
"relationship_type": "uses",
"id": "relationship--5a036fb8-9f72-4383-91c5-0f47b33b2c9d",
"type": "relationship",
"modified": "2019-08-09T18:06:11.740Z",
"created": "2019-07-10T15:35:43.658Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"source_name": "Lookout Dark Caracal Jan 2018"
}
],
"description": "[Pallas](https://attack.mitre.org/software/S0399) accesses and exfiltrates the call log.(Citation: Lookout Dark Caracal Jan 2018)",
"relationship_type": "uses",
"id": "relationship--48486680-530c-4ed9-aca3-94969aa262b6",
"type": "relationship",
"modified": "2019-08-09T18:06:11.738Z",
"created": "2019-07-10T15:35:43.665Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"source_name": "Lookout Dark Caracal Jan 2018"
}
],
"description": "[Pallas](https://attack.mitre.org/software/S0399) captures and exfiltrates all SMS messages, including future messages as they are received.(Citation: Lookout Dark Caracal Jan 2018)",
"relationship_type": "uses",
"id": "relationship--f4d5e619-7c83-4845-aecd-de62c33cc0a1",
"type": "relationship",
"modified": "2019-08-09T18:06:11.802Z",
"created": "2019-07-10T15:35:43.661Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"source_name": "Lookout Dark Caracal Jan 2018"
}
],
"description": "[Pallas](https://attack.mitre.org/software/S0399) uses phishing popups to harvest user credentials.(Citation: Lookout Dark Caracal Jan 2018)",
"relationship_type": "uses",
"id": "relationship--12d61e7d-7fa6-422d-9817-901decf6b650",
"type": "relationship",
"modified": "2019-08-09T18:06:11.799Z",
"created": "2019-07-10T15:35:43.663Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"source_name": "Lookout Dark Caracal Jan 2018"
}
],
"description": "[Pallas](https://attack.mitre.org/software/S0399) accesses the device contact list.(Citation: Lookout Dark Caracal Jan 2018)",
"relationship_type": "uses",
"id": "relationship--7e2d9773-1320-4c8f-a595-2b92bf0fd8ed",
"type": "relationship",
"modified": "2019-08-09T18:06:11.840Z",
"created": "2019-07-10T15:35:43.668Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"source_name": "Lookout Dark Caracal Jan 2018"
}
],
"description": "[Pallas](https://attack.mitre.org/software/S0399) captures audio from the device microphone.(Citation: Lookout Dark Caracal Jan 2018)",
"relationship_type": "uses",
"id": "relationship--ce8cc50a-f3c9-4a6a-b6be-f3e8bdd293bd",
"type": "relationship",
"modified": "2019-08-09T18:06:11.839Z",
"created": "2019-07-10T15:35:43.699Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"target_ref": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"source_name": "Lookout Dark Caracal Jan 2018"
}
],
"description": "[Pallas](https://attack.mitre.org/software/S0399) has the ability to delete attacker-specified files from compromised devices.(Citation: Lookout Dark Caracal Jan 2018)",
"relationship_type": "uses",
"id": "relationship--60ecd154-e907-419a-b41d-1a9a1f59e7c3",
"type": "relationship",
"modified": "2019-08-09T18:06:11.844Z",
"created": "2019-07-10T15:35:43.712Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"source_name": "Lookout Dark Caracal Jan 2018"
}
],
"description": "[Pallas](https://attack.mitre.org/software/S0399) retrieves messages and decryption keys for popular messaging applications and other accounts stored on the device.(Citation: Lookout Dark Caracal Jan 2018)",
"relationship_type": "uses",
"id": "relationship--04530307-22d8-4a06-9056-55eea225fabb",
"type": "relationship",
"modified": "2019-08-09T18:06:11.842Z",
"created": "2019-07-10T15:35:43.710Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"source_name": "Lookout Dark Caracal Jan 2018"
}
],
"description": "[Pallas](https://attack.mitre.org/software/S0399) tracks the latitude and longitude coordinates of the infected device.(Citation: Lookout Dark Caracal Jan 2018)",
"relationship_type": "uses",
"id": "relationship--a8ac5084-5631-4670-8ac6-6fbe7bdb0a84",
"type": "relationship",
"modified": "2019-08-09T18:06:11.797Z",
"created": "2019-07-10T15:35:43.708Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"source_name": "Lookout Dark Caracal Jan 2018"
}
],
"description": "[Pallas](https://attack.mitre.org/software/S0399) has the ability to download and install attacker-specified applications.(Citation: Lookout Dark Caracal Jan 2018)",
"relationship_type": "uses",
"id": "relationship--32625429-e05a-48a5-8f0b-53c6046e9b1a",
"type": "relationship",
"modified": "2019-09-18T20:17:18.072Z",
"created": "2019-07-10T15:35:43.702Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"source_name": "Lookout Dark Caracal Jan 2018"
}
],
"description": "[Pallas](https://attack.mitre.org/software/S0399) exfiltrates data using HTTP.(Citation: Lookout Dark Caracal Jan 2018)",
"relationship_type": "uses",
"id": "relationship--fb587f81-1300-438d-a33b-f8d08530788b",
"type": "relationship",
"modified": "2019-08-09T18:06:11.871Z",
"created": "2019-07-10T15:35:43.704Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"source_name": "Lookout Dark Caracal Jan 2018"
}
],
"description": "[Dark Caracal](https://attack.mitre.org/groups/G0070) distributes [Pallas](https://attack.mitre.org/software/S0399) via trojanized applications hosted on watering hole websites.(Citation: Lookout Dark Caracal Jan 2018) ",
"relationship_type": "uses",
"id": "relationship--ae9a0fb3-901b-4da2-b6ad-633ddbfa0a5f",
"type": "relationship",
"modified": "2019-07-16T15:35:21.028Z",
"created": "2019-07-10T15:42:09.591Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"source_name": "Lookout Dark Caracal Jan 2018"
}
],
"description": "[Dark Caracal](https://attack.mitre.org/groups/G0070) controls implants using standard HTTP communication.(Citation: Lookout Dark Caracal Jan 2018) ",
"relationship_type": "uses",
"id": "relationship--61071d73-fcdf-4820-afd0-e3f0983e0a71",
"type": "relationship",
"modified": "2019-07-16T15:35:20.953Z",
"created": "2019-07-10T15:42:09.606Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12",
"target_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"source_name": "Lookout Dark Caracal Jan 2018"
}
],
"description": "(Citation: Lookout Dark Caracal Jan 2018)",
"relationship_type": "uses",
"id": "relationship--53364899-1ea5-47fa-afde-c210aed64120",
"type": "relationship",
"modified": "2019-07-16T15:35:21.086Z",
"created": "2019-07-10T15:47:19.659Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"external_references": [
{
"source_name": "Google Triada June 2019",
"url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html",
"description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019."
}
],
"description": "[Triada](https://attack.mitre.org/software/S0424) utilizes a backdoor in a Play Store app to install additional trojanized apps from the Command and Control server.(Citation: Google Triada June 2019)",
"relationship_type": "uses",
"id": "relationship--00dc2b34-1b74-4dae-b6e4-b676528d6341",
"type": "relationship",
"modified": "2020-04-27T16:52:49.480Z",
"created": "2019-07-16T14:33:12.085Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52",
"target_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
"external_references": [
{
"source_name": "Google Triada June 2019",
"url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html",
"description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019."
},
{
"source_name": "Kaspersky Triada June 2016",
"url": "https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/",
"description": "Kivva, A. (2016, June 6). Everyone sees not what they want to see. Retrieved July 16, 2019."
}
],
"description": "[Triada](https://attack.mitre.org/software/S0424) can redirect ad banner URLs on websites visited by the user to specific ad URLs.(Citation: Google Triada June 2019)(Citation: Kaspersky Triada June 2016) ",
"relationship_type": "uses",
"id": "relationship--eef8fb1f-3e8c-44d7-b0d1-1fbad81e392f",
"type": "relationship",
"modified": "2020-04-27T16:52:49.550Z",
"created": "2019-07-16T14:33:12.107Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52",
"target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
"external_references": [
{
"source_name": "Google Triada June 2019",
"url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html",
"description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019."
},
{
"source_name": "Krebs-Triada June 2019",
"url": "https://krebsonsecurity.com/2019/06/tracing-the-supply-chain-attack-on-android-2/",
"description": "Krebs, B. (2019, June 25). Tracing the Supply Chain Attack on Android. Retrieved July 16, 2019."
}
],
"description": "[Triada](https://attack.mitre.org/software/S0424) was added into the Android system by a third-party vendor identified as Yehuo or Blazefire during the production process.(Citation: Google Triada June 2019) (Citation: Krebs-Triada June 2019)",
"relationship_type": "uses",
"id": "relationship--7fe8ab9f-b207-4c39-ab5c-e929a1c949f9",
"type": "relationship",
"modified": "2020-04-27T16:52:49.540Z",
"created": "2019-07-16T14:33:12.113Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"external_references": [
{
"source_name": "Google Triada June 2019",
"url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html",
"description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019."
}
],
"description": "[Triada](https://attack.mitre.org/software/S0424) is able to modify code within the com.android.systemui application to gain access to `GET_REAL_TASKS` permissions. This permission enables access to information about applications currently on the foreground and other recently used apps.(Citation: Google Triada June 2019) ",
"relationship_type": "uses",
"id": "relationship--5b5586b9-75ee-476f-b3eb-49878254302c",
"type": "relationship",
"modified": "2020-04-27T16:52:49.643Z",
"created": "2019-07-16T14:33:12.117Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"external_references": [
{
"source_name": "Google Triada June 2019",
"url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html",
"description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019."
}
],
"description": "[Triada](https://attack.mitre.org/software/S0424) utilized HTTP to exfiltrate data through POST requests to the command and control server.(Citation: Google Triada June 2019) ",
"relationship_type": "uses",
"id": "relationship--d32003ba-959b-4377-aa04-f75275c32abf",
"type": "relationship",
"modified": "2020-04-27T16:52:49.636Z",
"created": "2019-07-16T14:33:12.144Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"external_references": [
{
"description": "Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.",
"url": "https://www.kaspersky.com/blog/triada-trojan/11481/",
"source_name": "Kaspersky Triada March 2016"
}
],
"description": "[Triada](https://attack.mitre.org/software/S0424) variants capture transaction data from SMS-based in-app purchases.(Citation: Kaspersky Triada March 2016) ",
"relationship_type": "uses",
"id": "relationship--3ca284e7-062c-4f23-b95d-9f9c6a2d882a",
"type": "relationship",
"modified": "2020-04-27T16:52:49.640Z",
"created": "2019-07-16T14:33:12.175Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"external_references": [
{
"description": "Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.",
"url": "https://www.kaspersky.com/blog/triada-trojan/11481/",
"source_name": "Kaspersky Triada March 2016"
}
],
"description": "Early [Triada](https://attack.mitre.org/software/S0424) variants were delivered through trojanized apps that were distributed via the Play Store.(Citation: Kaspersky Triada March 2016) ",
"relationship_type": "uses",
"id": "relationship--cf23f54e-214b-4780-891f-99ab6e023951",
"type": "relationship",
"modified": "2020-04-27T16:52:49.629Z",
"created": "2019-07-16T14:33:12.178Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
"relationship_type": "mitigates",
"description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to whitelist applications that are allowed to use Android's accessibility features.",
"id": "relationship--fbd2d4f7-96ff-4624-a567-d4882f0c10ca",
"type": "relationship",
"modified": "2020-03-30T14:03:43.920Z",
"created": "2019-07-23T15:35:23.530Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb",
"relationship_type": "mitigates",
"description": "Android 10 prevents applications from accessing clipboard data unless the application is on the foreground or is set as the device\u2019s default input method editor (IME).(Citation: Android 10 Privacy Changes)",
"id": "relationship--409570bb-77c9-4021-920e-1600a7f4efbd",
"external_references": [
{
"source_name": "Android 10 Privacy Changes",
"url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data",
"description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019."
}
],
"type": "relationship",
"modified": "2019-09-12T15:47:41.846Z",
"created": "2019-07-26T14:26:57.207Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"source_name": "Lookout Dark Caracal Jan 2018"
}
],
"description": "[Pallas](https://attack.mitre.org/software/S0399) stores domain information and URL paths as hardcoded AES-encrypted, base64-encoded strings.(Citation: Lookout Dark Caracal Jan 2018)",
"relationship_type": "uses",
"id": "relationship--32958f57-ad9b-4fe1-abf3-6f92df895014",
"type": "relationship",
"modified": "2019-08-09T18:06:11.873Z",
"created": "2019-08-05T13:22:03.917Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"external_references": [
{
"source_name": "Kaspersky Riltok June 2019",
"url": "https://securelist.com/mobile-banker-riltok/91374/",
"description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019."
}
],
"description": "[Riltok](https://attack.mitre.org/software/S0403) is distributed via phishing SMS messages from infected devices.(Citation: Kaspersky Riltok June 2019)",
"relationship_type": "uses",
"id": "relationship--0c53692d-16a1-4c25-8a3e-30802b2d0c7f",
"type": "relationship",
"modified": "2019-09-15T15:36:42.273Z",
"created": "2019-08-07T15:57:13.380Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424",
"target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
"external_references": [
{
"source_name": "Kaspersky Riltok June 2019",
"url": "https://securelist.com/mobile-banker-riltok/91374/",
"description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019."
}
],
"description": "[Riltok](https://attack.mitre.org/software/S0403) injects input to set itself as the default SMS handler by clicking the appropriate places on the screen. It can also close or minimize targeted antivirus applications and the device security settings screen.(Citation: Kaspersky Riltok June 2019)",
"relationship_type": "uses",
"id": "relationship--e9607e4f-5743-4bbb-b7d4-5554d66c8be7",
"type": "relationship",
"modified": "2019-09-18T13:44:13.453Z",
"created": "2019-08-07T15:57:13.388Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"external_references": [
{
"source_name": "Kaspersky Riltok June 2019",
"url": "https://securelist.com/mobile-banker-riltok/91374/",
"description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019."
}
],
"description": "[Riltok](https://attack.mitre.org/software/S0403) communicates with the command and control server using HTTP requests.(Citation: Kaspersky Riltok June 2019)",
"relationship_type": "uses",
"id": "relationship--327d0102-2113-4e12-be68-504db097a6fd",
"type": "relationship",
"modified": "2019-09-15T15:36:42.313Z",
"created": "2019-08-07T15:57:13.409Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"external_references": [
{
"source_name": "Kaspersky Riltok June 2019",
"url": "https://securelist.com/mobile-banker-riltok/91374/",
"description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019."
}
],
"description": "[Riltok](https://attack.mitre.org/software/S0403) can retrieve a list of installed applications. Installed application names are then checked against an adversary-defined list of targeted applications.(Citation: Kaspersky Riltok June 2019)",
"relationship_type": "uses",
"id": "relationship--4e7a1b10-0f68-4a48-a13d-0c7bc13fb819",
"type": "relationship",
"modified": "2019-09-15T15:36:42.312Z",
"created": "2019-08-07T15:57:13.412Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"external_references": [
{
"source_name": "Kaspersky Riltok June 2019",
"url": "https://securelist.com/mobile-banker-riltok/91374/",
"description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019."
}
],
"description": "[Riltok](https://attack.mitre.org/software/S0403) can query the device's IMEI.(Citation: Kaspersky Riltok June 2019)",
"relationship_type": "uses",
"id": "relationship--1250f91c-723d-4b4c-afea-b3a71101951f",
"type": "relationship",
"modified": "2019-09-15T15:36:42.339Z",
"created": "2019-08-07T15:57:13.415Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"external_references": [
{
"source_name": "Kaspersky Riltok June 2019",
"url": "https://securelist.com/mobile-banker-riltok/91374/",
"description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019."
}
],
"description": "[Riltok](https://attack.mitre.org/software/S0403) can query various details about the device, including phone number, country, mobile operator, model, root availability, and operating system version.(Citation: Kaspersky Riltok June 2019)",
"relationship_type": "uses",
"id": "relationship--7b8c3ae2-7e52-4f1d-ad30-788b367a7531",
"type": "relationship",
"modified": "2019-09-15T15:36:42.340Z",
"created": "2019-08-07T15:57:13.417Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"external_references": [
{
"source_name": "Kaspersky Riltok June 2019",
"url": "https://securelist.com/mobile-banker-riltok/91374/",
"description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019."
}
],
"description": "[Riltok](https://attack.mitre.org/software/S0403) can access and upload the device's contact list to the command and control server.(Citation: Kaspersky Riltok June 2019)",
"relationship_type": "uses",
"id": "relationship--3efe7dcc-a572-45ac-aff2-2932206a0632",
"type": "relationship",
"modified": "2019-09-15T15:36:42.341Z",
"created": "2019-08-07T15:57:13.441Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"external_references": [
{
"source_name": "Kaspersky Riltok June 2019",
"url": "https://securelist.com/mobile-banker-riltok/91374/",
"description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019."
}
],
"description": "[Riltok](https://attack.mitre.org/software/S0403) can intercept incoming SMS messages.(Citation: Kaspersky Riltok June 2019)",
"relationship_type": "uses",
"id": "relationship--b641e5b8-5981-452a-99f0-3598c783e5ee",
"type": "relationship",
"modified": "2019-09-15T15:36:42.362Z",
"created": "2019-08-07T15:57:13.443Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"external_references": [
{
"source_name": "Kaspersky Riltok June 2019",
"url": "https://securelist.com/mobile-banker-riltok/91374/",
"description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019."
}
],
"description": "[Riltok](https://attack.mitre.org/software/S0403) can open a fake Google Play screen requesting bank card credentials and mimic the screen of relevant mobile banking apps to request user/bank card details.(Citation: Kaspersky Riltok June 2019)",
"relationship_type": "uses",
"id": "relationship--93395e61-0d3e-4ea6-9c1b-08d4a04005a0",
"type": "relationship",
"modified": "2019-09-15T15:36:42.364Z",
"created": "2019-08-07T15:57:13.453Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
"relationship_type": "mitigates",
"description": "Android 10 prevents applications from accessing clipboard data unless the application is on the foreground or is set as the device\u2019s default input method editor (IME).(Citation: Android 10 Privacy Changes)",
"id": "relationship--aa5877fd-ef7d-435e-86af-c427f086b3c5",
"external_references": [
{
"source_name": "Android 10 Privacy Changes",
"url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data",
"description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019."
}
],
"type": "relationship",
"modified": "2019-09-13T20:46:26.362Z",
"created": "2019-08-08T18:47:57.655Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
"relationship_type": "mitigates",
"description": "Android 9 and above restricts access to mic, camera, and other sensors from background applications.(Citation: Android Capture Sensor 2019) ",
"id": "relationship--492d5699-f885-411a-8431-254fcf33fb12",
"external_references": [
{
"source_name": "Android Capture Sensor 2019",
"url": "https://developer.android.com/about/versions/pie/android-9.0-changes-all#bg-sensor-access",
"description": "Android Developers. (, January). Android 9+ Privacy Changes . Retrieved August 27, 2019."
}
],
"type": "relationship",
"modified": "2019-09-12T18:33:15.160Z",
"created": "2019-08-09T16:14:58.367Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"relationship_type": "mitigates",
"description": "Android 9 and above restricts access to microphone, camera, and other sensors from background applications.(Citation: Android Capture Sensor 2019)",
"id": "relationship--7b679dbf-4e31-4d0b-9e13-eb8c3b98b7fb",
"external_references": [
{
"source_name": "Android Capture Sensor 2019",
"url": "https://developer.android.com/about/versions/pie/android-9.0-changes-all#bg-sensor-access",
"description": "Android Developers. (, January). Android 9+ Privacy Changes . Retrieved August 27, 2019."
}
],
"type": "relationship",
"modified": "2019-09-20T17:59:11.161Z",
"created": "2019-08-09T16:19:02.782Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) has the ability to take pictures using the device camera.(Citation: Lookout-PegasusAndroid)",
"relationship_type": "uses",
"id": "relationship--be17dc63-5b0a-491a-be5f-132058444c3a",
"type": "relationship",
"modified": "2019-08-09T17:52:31.877Z",
"created": "2019-08-09T17:52:13.352Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
"external_references": [
{
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/",
"description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
"source_name": "TrendMicro-RCSAndroid"
}
],
"description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can capture photos using the front and back cameras.(Citation: TrendMicro-RCSAndroid)",
"relationship_type": "uses",
"id": "relationship--cf26d49c-1d1b-4861-9d6e-959f4f15b73a",
"type": "relationship",
"modified": "2019-08-09T17:53:48.716Z",
"created": "2019-08-09T17:53:48.716Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
"external_references": [
{
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"source_name": "PaloAlto-SpyDealer"
}
],
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) can record video and take photos via front and rear cameras.(Citation: PaloAlto-SpyDealer)",
"relationship_type": "uses",
"id": "relationship--fcb3a139-f644-45c9-8123-dfea0455143a",
"type": "relationship",
"modified": "2019-08-09T17:56:05.588Z",
"created": "2019-08-09T17:56:05.588Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"source_name": "Lookout-StealthMango"
}
],
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) can record and take pictures using the front and back cameras.(Citation: Lookout-StealthMango)",
"relationship_type": "uses",
"id": "relationship--0bcdeb29-6eed-4c96-a9ae-e56aadc4a5db",
"type": "relationship",
"modified": "2019-08-09T17:59:48.988Z",
"created": "2019-08-09T17:59:48.988Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
"target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
"external_references": [
{
"url": "https://www.zscaler.com/blogs/research/super-mario-run-malware-2-\u2013-droidjack-rat",
"description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.",
"source_name": "Zscaler-SuperMarioRun"
}
],
"description": "[DroidJack](https://attack.mitre.org/software/S0320) can capture video using device cameras.(Citation: Zscaler-SuperMarioRun)",
"relationship_type": "uses",
"id": "relationship--6961eec4-8e31-4be1-88d9-dca682e38b8c",
"type": "relationship",
"modified": "2019-08-09T18:02:06.688Z",
"created": "2019-08-09T18:02:06.688Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"source_name": "Lookout Dark Caracal Jan 2018"
}
],
"description": "[Pallas](https://attack.mitre.org/software/S0399) can take pictures with both the front and rear-facing cameras.(Citation: Lookout Dark Caracal Jan 2018)",
"relationship_type": "uses",
"id": "relationship--eca69d9c-7c27-4147-ad7a-a1c30317df1d",
"type": "relationship",
"modified": "2019-08-09T18:06:11.672Z",
"created": "2019-08-09T18:06:11.672Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
"target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
"external_references": [
{
"url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/",
"description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.",
"source_name": "Kaspersky-Skygofree"
}
],
"description": "[Skygofree](https://attack.mitre.org/software/S0327) can record video or capture photos when an infected device is in a specified location.(Citation: Kaspersky-Skygofree)",
"relationship_type": "uses",
"id": "relationship--4d542595-1eb0-45aa-9702-9d494142b390",
"type": "relationship",
"modified": "2019-08-09T18:08:07.109Z",
"created": "2019-08-09T18:08:07.109Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
"relationship_type": "mitigates",
"description": "When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.(Citation: Samsung Keyboards)",
"id": "relationship--0fd34764-8a5d-43da-9bdf-5a0b7e436936",
"external_references": [
{
"source_name": "Samsung Keyboards",
"url": "https://support.samsungknox.com/hc/en-us/articles/360001485027-3rd-party-keyboards-must-be-whitelisted-",
"description": "Samsung. (2019, August 16). 3rd party keyboards must be whitelisted.. Retrieved September 1, 2019."
}
],
"type": "relationship",
"modified": "2020-06-24T15:09:12.613Z",
"created": "2019-08-29T18:57:55.926Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"external_references": [
{
"source_name": "SWB Exodus March 2019",
"url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
"description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
}
],
"description": " [Exodus](https://attack.mitre.org/software/S0405) One has been distributed via the Play Store.(Citation: SWB Exodus March 2019) ",
"relationship_type": "uses",
"id": "relationship--a6cfae27-9ba8-458e-85cc-ec1b1dc22d8a",
"type": "relationship",
"modified": "2019-09-11T13:25:19.127Z",
"created": "2019-09-03T19:45:48.480Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"external_references": [
{
"source_name": "SWB Exodus March 2019",
"url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
"description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
}
],
"description": " [Exodus](https://attack.mitre.org/software/S0405) Two can obtain a list of installed applications.(Citation: SWB Exodus March 2019) ",
"relationship_type": "uses",
"id": "relationship--fc22c1f0-6888-43c0-ac7e-ee3d21feafc4",
"type": "relationship",
"modified": "2019-09-11T13:25:19.117Z",
"created": "2019-09-03T19:45:48.485Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"external_references": [
{
"source_name": "SWB Exodus March 2019",
"url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
"description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
}
],
"description": " [Exodus](https://attack.mitre.org/software/S0405) Two can record audio from the compromised device's microphone and can record call audio in 3GP format.(Citation: SWB Exodus March 2019) ",
"relationship_type": "uses",
"id": "relationship--8f88d438-3150-4317-b1fe-b14f13c15ac5",
"type": "relationship",
"modified": "2019-10-14T16:47:53.197Z",
"created": "2019-09-03T19:45:48.501Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"external_references": [
{
"source_name": "SWB Exodus March 2019",
"url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
"description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
}
],
"description": " [Exodus](https://attack.mitre.org/software/S0405) Two can exfiltrate the call log.(Citation: SWB Exodus March 2019) ",
"relationship_type": "uses",
"id": "relationship--e3d04885-95a5-47cb-a038-b58542cf787d",
"type": "relationship",
"modified": "2019-09-11T13:25:19.115Z",
"created": "2019-09-03T19:45:48.487Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"external_references": [
{
"source_name": "SWB Exodus March 2019",
"url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
"description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
}
],
"description": "[Exodus](https://attack.mitre.org/software/S0405) Two extracts information from Facebook, Facebook Messenger, Gmail, IMO, Skype, Telegram, Viber, WhatsApp, and WeChat.(Citation: SWB Exodus March 2019)",
"relationship_type": "uses",
"id": "relationship--1ed5b4fa-b871-4efa-87ee-1c91dcaa421e",
"type": "relationship",
"modified": "2019-10-14T16:47:53.226Z",
"created": "2019-09-03T19:45:48.496Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
"target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
"external_references": [
{
"source_name": "SWB Exodus March 2019",
"url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
"description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
}
],
"description": " [Exodus](https://attack.mitre.org/software/S0405) Two can take pictures with the device cameras.(Citation: SWB Exodus March 2019) ",
"relationship_type": "uses",
"id": "relationship--5a277966-4559-487e-bdfb-7be6366ccdb6",
"type": "relationship",
"modified": "2019-09-11T13:25:19.114Z",
"created": "2019-09-03T19:45:48.508Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"external_references": [
{
"source_name": "SWB Exodus March 2019",
"url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
"description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
}
],
"description": "[Exodus](https://attack.mitre.org/software/S0405) Two can capture SMS messages.(Citation: SWB Exodus March 2019)",
"relationship_type": "uses",
"id": "relationship--a1c53fcf-a691-4233-a136-0a51d5a3840f",
"type": "relationship",
"modified": "2019-09-11T13:25:19.122Z",
"created": "2019-09-03T19:45:48.518Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"external_references": [
{
"source_name": "SWB Exodus March 2019",
"url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
"description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
}
],
"description": "[Exodus](https://attack.mitre.org/software/S0405) Two can extract the GPS coordinates of the device.(Citation: SWB Exodus March 2019)",
"relationship_type": "uses",
"id": "relationship--d22d309b-ab00-4f17-b6bf-7706f499cc5e",
"type": "relationship",
"modified": "2019-09-11T13:25:19.128Z",
"created": "2019-09-03T19:45:48.489Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
"target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
"external_references": [
{
"source_name": "SWB Exodus March 2019",
"url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
"description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
}
],
"description": " [Exodus](https://attack.mitre.org/software/S0405) Two can take screenshots of any application in the foreground.(Citation: SWB Exodus March 2019) ",
"relationship_type": "uses",
"id": "relationship--fb3b32a8-6422-4d44-91e3-27a58e569963",
"type": "relationship",
"modified": "2019-09-11T13:25:19.179Z",
"created": "2019-09-03T19:45:48.494Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"external_references": [
{
"source_name": "SWB Exodus March 2019",
"url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
"description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
}
],
"description": " [Exodus](https://attack.mitre.org/software/S0405) One, after checking in, sends a POST request and then downloads [Exodus](https://attack.mitre.org/software/S0405) Two, the second stage binaries.(Citation: SWB Exodus March 2019) ",
"relationship_type": "uses",
"id": "relationship--65acbbe2-48e1-4fba-a781-39fb040a711d",
"type": "relationship",
"modified": "2019-09-11T13:25:19.178Z",
"created": "2019-09-03T19:45:48.505Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
"target_ref": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb",
"external_references": [
{
"source_name": "SWB Exodus March 2019",
"url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
"description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
}
],
"description": " [Exodus](https://attack.mitre.org/software/S0405) Two can exfiltrate calendar events.(Citation: SWB Exodus March 2019) ",
"relationship_type": "uses",
"id": "relationship--084786ee-9384-4a00-9e1b-48f94ea70126",
"type": "relationship",
"modified": "2019-09-11T13:25:19.214Z",
"created": "2019-09-03T19:45:48.517Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
"target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
"external_references": [
{
"source_name": "SWB Exodus March 2019",
"url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
"description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
}
],
"description": "[Exodus](https://attack.mitre.org/software/S0405) Two attempts to connect to port 22011 to provide a remote reverse shell.(Citation: SWB Exodus March 2019)",
"relationship_type": "uses",
"id": "relationship--ad2c8b49-bbfb-47dd-84bb-cd4dbc49a64c",
"type": "relationship",
"modified": "2019-09-11T13:25:19.210Z",
"created": "2019-09-03T19:45:48.512Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"external_references": [
{
"source_name": "SWB Exodus March 2019",
"url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
"description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
}
],
"description": " [Exodus](https://attack.mitre.org/software/S0405) One checks in with the command and control server using HTTP POST requests.(Citation: SWB Exodus March 2019) ",
"relationship_type": "uses",
"id": "relationship--418168ad-fee9-42c8-ac27-11f7472a5f86",
"type": "relationship",
"modified": "2019-09-11T13:25:19.215Z",
"created": "2019-09-03T19:45:48.498Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
"target_ref": "attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2",
"external_references": [
{
"source_name": "SWB Exodus March 2019",
"url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
"description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
}
],
"description": " [Exodus](https://attack.mitre.org/software/S0405) Two collects a list of nearby base stations.(Citation: SWB Exodus March 2019) ",
"relationship_type": "uses",
"id": "relationship--cf4243f5-562a-457f-bb15-d45a2047f7ca",
"type": "relationship",
"modified": "2019-09-11T13:25:19.211Z",
"created": "2019-09-03T19:45:48.510Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"external_references": [
{
"source_name": "SWB Exodus March 2019",
"url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
"description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
}
],
"description": " [Exodus](https://attack.mitre.org/software/S0405) One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.(Citation: SWB Exodus March 2019) ",
"relationship_type": "uses",
"id": "relationship--789dd0f9-527c-49b3-93b7-851ce4961f0f",
"type": "relationship",
"modified": "2019-10-14T17:15:52.637Z",
"created": "2019-09-03T19:45:48.492Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"external_references": [
{
"source_name": "SWB Exodus March 2019",
"url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
"description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
}
],
"description": " [Exodus](https://attack.mitre.org/software/S0405) Two can download the address book.(Citation: SWB Exodus March 2019) ",
"relationship_type": "uses",
"id": "relationship--4c7e776d-ed19-4e5a-842c-81612f5c07bd",
"type": "relationship",
"modified": "2019-09-11T13:25:19.209Z",
"created": "2019-09-03T19:45:48.503Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"external_references": [
{
"source_name": "SWB Exodus March 2019",
"url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
"description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
}
],
"description": " [Exodus](https://attack.mitre.org/software/S0405) Two attempts to elevate privileges by using a modified version of the DirtyCow exploit.(Citation: SWB Exodus March 2019) ",
"relationship_type": "uses",
"id": "relationship--3bf5a566-986b-478c-b2da-e57caf261378",
"type": "relationship",
"modified": "2019-09-11T13:25:19.216Z",
"created": "2019-09-03T19:45:48.515Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"external_references": [
{
"description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
"url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
"source_name": "Talos Gustuff Apr 2019"
}
],
"description": " [Gustuff](https://attack.mitre.org/software/S0406) can collect the contact list.(Citation: Talos Gustuff Apr 2019) ",
"relationship_type": "uses",
"id": "relationship--6d2c7743-fc75-4524-b217-13867ca1dd10",
"type": "relationship",
"modified": "2019-09-15T15:35:33.236Z",
"created": "2019-09-03T20:08:00.649Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
"target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"external_references": [
{
"description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
"url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
"source_name": "Talos Gustuff Apr 2019"
}
],
"description": " [Gustuff](https://attack.mitre.org/software/S0406) can capture files and photos from the compromised device.(Citation: Talos Gustuff Apr 2019) ",
"relationship_type": "uses",
"id": "relationship--295fab07-9f02-4504-9ae4-1a60c2e8c224",
"type": "relationship",
"modified": "2019-10-10T15:19:47.960Z",
"created": "2019-09-03T20:08:00.670Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"external_references": [
{
"description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
"url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
"source_name": "Talos Gustuff Apr 2019"
}
],
"description": " [Gustuff](https://attack.mitre.org/software/S0406) can intercept two-factor authentication codes transmitted via SMS.(Citation: Talos Gustuff Apr 2019) ",
"relationship_type": "uses",
"id": "relationship--4cc8a16f-562a-42c7-b5d9-10e1088af89c",
"type": "relationship",
"modified": "2019-09-15T15:35:33.261Z",
"created": "2019-09-03T20:08:00.687Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"external_references": [
{
"description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
"url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
"source_name": "Talos Gustuff Apr 2019"
}
],
"description": "[Gustuff](https://attack.mitre.org/software/S0406) was distributed via SMS phishing messages to numbers exfiltrated from compromised devices\u2019 contact lists. The phishing SMS messages are sent from the compromised device to the target device.(Citation: Talos Gustuff Apr 2019)",
"relationship_type": "uses",
"id": "relationship--cfda3abb-4372-4dbf-ace3-b8d5a0a6ad60",
"type": "relationship",
"modified": "2019-09-15T15:35:33.345Z",
"created": "2019-09-03T20:08:00.701Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"external_references": [
{
"description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
"url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
"source_name": "Talos Gustuff Apr 2019"
}
],
"description": "[Gustuff](https://attack.mitre.org/software/S0406) code is both obfuscated and packed with an FTT packer. Command information is obfuscated using a custom base85-based encoding.(Citation: Talos Gustuff Apr 2019)",
"relationship_type": "uses",
"id": "relationship--67c2b73d-cd51-4894-a7bd-fdd5d14b33a2",
"type": "relationship",
"modified": "2019-10-14T19:14:20.711Z",
"created": "2019-09-03T20:08:00.704Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"external_references": [
{
"description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
"url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
"source_name": "Talos Gustuff Apr 2019"
}
],
"description": "[Gustuff](https://attack.mitre.org/software/S0406) checks for antivirus software contained in a predefined list.(Citation: Talos Gustuff Apr 2019)",
"relationship_type": "uses",
"id": "relationship--38962b26-7cbe-4761-8b4f-50a022167c4d",
"type": "relationship",
"modified": "2019-09-15T15:35:33.339Z",
"created": "2019-09-03T20:08:00.708Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"external_references": [
{
"source_name": "Talos Gustuff Apr 2019",
"url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
"description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019."
},
{
"source_name": "Group IB Gustuff Mar 2019",
"url": "https://www.group-ib.com/blog/gustuff",
"description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named \u00abGustuff\u00bb capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019."
}
],
"description": "[Gustuff](https://attack.mitre.org/software/S0406) uses WebView overlays to prompt the user for their device unlock code, as well as banking and cryptocurrency application credentials. [Gustuff](https://attack.mitre.org/software/S0406) can also send push notifications pretending to be from a bank, triggering a phishing overlay. (Citation: Talos Gustuff Apr 2019)(Citation: Group IB Gustuff Mar 2019)",
"relationship_type": "uses",
"id": "relationship--aa1deed1-800c-470b-ac88-eb8013c11ec0",
"type": "relationship",
"modified": "2019-10-14T19:07:24.497Z",
"created": "2019-09-03T20:08:00.711Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
"target_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"external_references": [
{
"description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
"url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
"source_name": "Talos Gustuff Apr 2019"
}
],
"description": " [Gustuff](https://attack.mitre.org/software/S0406) can use SMS for command and control from a defined admin phone number.(Citation: Talos Gustuff Apr 2019) ",
"relationship_type": "uses",
"id": "relationship--96569099-db95-4f3c-8ded-6d9cf023e55e",
"type": "relationship",
"modified": "2019-09-15T15:35:33.343Z",
"created": "2019-09-03T20:08:00.717Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
"target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
"external_references": [
{
"description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
"url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
"source_name": "Talos Gustuff Apr 2019"
}
],
"description": "[Gustuff](https://attack.mitre.org/software/S0406) abuses accessibility features to intercept all interactions between a user and the device.(Citation: Talos Gustuff Apr 2019)",
"relationship_type": "uses",
"id": "relationship--7cae8c80-c603-4352-a704-f3a2f4aa4a56",
"type": "relationship",
"modified": "2019-09-23T13:20:49.865Z",
"created": "2019-09-03T20:08:00.737Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"external_references": [
{
"description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
"url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
"source_name": "Talos Gustuff Apr 2019"
}
],
"description": "[Gustuff](https://attack.mitre.org/software/S0406) gathers the device IMEI to send to the command and control server.(Citation: Talos Gustuff Apr 2019)",
"relationship_type": "uses",
"id": "relationship--95bf4e8b-f388-48a0-b236-c2077252e71e",
"type": "relationship",
"modified": "2019-09-15T15:35:33.380Z",
"created": "2019-09-03T20:08:00.757Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"external_references": [
{
"description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
"url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
"source_name": "Talos Gustuff Apr 2019"
}
],
"description": "[Gustuff](https://attack.mitre.org/software/S0406) communicates with the command and control server using HTTP requests.(Citation: Talos Gustuff Apr 2019)",
"relationship_type": "uses",
"id": "relationship--a5dac41f-4a16-44ea-b279-b84c927ce62d",
"type": "relationship",
"modified": "2019-09-15T15:35:33.378Z",
"created": "2019-09-03T20:08:00.760Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"external_references": [
{
"description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
"url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
"source_name": "Talos Gustuff Apr 2019"
}
],
"description": "[Gustuff](https://attack.mitre.org/software/S0406) gathers information about the device, including the default SMS application, if SafetyNet is enabled, the battery level, the operating system version, and if the malware has elevated permissions.(Citation: Talos Gustuff Apr 2019)",
"relationship_type": "uses",
"id": "relationship--a87fa426-3968-4d3b-8f8d-8e3c3a9c32f5",
"type": "relationship",
"modified": "2019-09-15T15:35:33.379Z",
"created": "2019-09-03T20:08:00.764Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
"target_ref": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9",
"external_references": [
{
"description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
"url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
"source_name": "Lookout-Monokle"
}
],
"description": " [Monokle](https://attack.mitre.org/software/S0407) can install attacker-specified certificates to the device's trusted certificate store, enabling an adversary to perform man-in-the-middle attacks.(Citation: Lookout-Monokle) ",
"relationship_type": "uses",
"id": "relationship--b3cdaa2c-30a2-496b-b577-db2e18045ff8",
"type": "relationship",
"modified": "2019-09-04T14:32:12.274Z",
"created": "2019-09-04T14:28:15.205Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"external_references": [
{
"description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
"url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
"source_name": "Lookout-Monokle"
}
],
"description": " [Monokle](https://attack.mitre.org/software/S0407) can remount the system partition as read/write to install attacker-specified certificates.(Citation: Lookout-Monokle) ",
"relationship_type": "uses",
"id": "relationship--9d72c60b-d5d1-4b50-a01f-3882ddb335d9",
"type": "relationship",
"modified": "2019-09-04T14:32:12.252Z",
"created": "2019-09-04T14:28:15.316Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
"target_ref": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb",
"external_references": [
{
"description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
"url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
"source_name": "Lookout-Monokle"
}
],
"description": " [Monokle](https://attack.mitre.org/software/S0407) can retrieve calendar event information including the event name, when and where it is taking place, and the description.(Citation: Lookout-Monokle) ",
"relationship_type": "uses",
"id": "relationship--d22f2c45-d6fa-419a-8f25-65ea37529ccc",
"type": "relationship",
"modified": "2019-09-04T14:32:12.414Z",
"created": "2019-09-04T14:28:15.412Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
"target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"external_references": [
{
"description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
"url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
"source_name": "Lookout-Monokle"
}
],
"description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve the salt used when storing the user\u2019s password, aiding an adversary in computing the user\u2019s plaintext password/PIN from the stored password hash. [Monokle](https://attack.mitre.org/software/S0407) can also capture the user\u2019s dictionary, user-defined shortcuts, and browser history, enabling profiling of the user and their activities.(Citation: Lookout-Monokle)",
"relationship_type": "uses",
"id": "relationship--5e360913-4986-4423-8d3c-46d3202b7787",
"type": "relationship",
"modified": "2019-10-14T17:51:37.979Z",
"created": "2019-09-04T14:28:15.471Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
"target_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"external_references": [
{
"description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
"url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
"source_name": "Lookout-Monokle"
}
],
"description": "[Monokle](https://attack.mitre.org/software/S0407) can be controlled via email and SMS/phone call from a set of \"control phones.\"(Citation: Lookout-Monokle)",
"relationship_type": "uses",
"id": "relationship--069b2328-442b-491e-962d-d3fe01f0549e",
"type": "relationship",
"modified": "2019-10-14T17:51:37.983Z",
"created": "2019-09-04T14:28:15.479Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
"target_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"external_references": [
{
"description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
"url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
"source_name": "Lookout-Monokle"
}
],
"description": "[Monokle](https://attack.mitre.org/software/S0407) can reset the user's password/PIN.(Citation: Lookout-Monokle)",
"relationship_type": "uses",
"id": "relationship--545d9313-3fcc-4d4a-b9d2-7555430df8f2",
"type": "relationship",
"modified": "2019-09-04T14:32:12.553Z",
"created": "2019-09-04T14:28:15.482Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
"target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
"external_references": [
{
"description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
"url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
"source_name": "Lookout-Monokle"
}
],
"description": "[Monokle](https://attack.mitre.org/software/S0407) can take photos and videos.(Citation: Lookout-Monokle)",
"relationship_type": "uses",
"id": "relationship--2e08820f-a81d-480e-9e60-f14db3e49080",
"type": "relationship",
"modified": "2019-09-04T14:32:12.568Z",
"created": "2019-09-04T14:28:15.909Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"external_references": [
{
"description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
"url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
"source_name": "Lookout-Monokle"
}
],
"description": "[Monokle](https://attack.mitre.org/software/S0407) can record audio from the device's microphone and can record phone calls, specifying the output audio quality.(Citation: Lookout-Monokle)",
"relationship_type": "uses",
"id": "relationship--d4a5a902-231e-4878-ad5b-39620498b018",
"type": "relationship",
"modified": "2019-09-04T14:32:12.589Z",
"created": "2019-09-04T14:28:15.941Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
"target_ref": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
"external_references": [
{
"description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
"url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
"source_name": "Lookout-Monokle"
}
],
"description": "[Monokle](https://attack.mitre.org/software/S0407) can delete arbitrary files on the device, and can also uninstall itself and clean up staging files.(Citation: Lookout-Monokle)",
"relationship_type": "uses",
"id": "relationship--3f2daf2e-c28c-46cd-bf91-ae35e873f365",
"type": "relationship",
"modified": "2019-10-14T17:51:38.028Z",
"created": "2019-09-04T14:28:15.950Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"external_references": [
{
"description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
"url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
"source_name": "Lookout-Monokle"
}
],
"description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve the device's contact list.(Citation: Lookout-Monokle)",
"relationship_type": "uses",
"id": "relationship--a20581b4-21fa-4ed9-b056-d139998868e8",
"type": "relationship",
"modified": "2019-09-04T14:32:12.618Z",
"created": "2019-09-04T14:28:15.970Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"external_references": [
{
"description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
"url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
"source_name": "Lookout-Monokle"
}
],
"description": "[Monokle](https://attack.mitre.org/software/S0407) queries the device for metadata such as make, model, and power levels.(Citation: Lookout-Monokle)",
"relationship_type": "uses",
"id": "relationship--be256f8a-8bae-4a00-8682-22797ba7e0ce",
"type": "relationship",
"modified": "2019-10-14T17:51:38.054Z",
"created": "2019-09-04T14:28:15.975Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"external_references": [
{
"description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
"url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
"source_name": "Lookout-Monokle"
}
],
"description": "[Monokle](https://attack.mitre.org/software/S0407) checks if the device is connected via Wi-Fi or mobile data.(Citation: Lookout-Monokle)",
"relationship_type": "uses",
"id": "relationship--9373912a-affa-4a3c-ad97-1b8311e228ee",
"type": "relationship",
"modified": "2019-09-04T14:32:12.803Z",
"created": "2019-09-04T14:28:15.991Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"external_references": [
{
"description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
"url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
"source_name": "Lookout-Monokle"
}
],
"description": "[Monokle](https://attack.mitre.org/software/S0407) can track the device's location.(Citation: Lookout-Monokle)",
"relationship_type": "uses",
"id": "relationship--c6241ba3-e0f9-48a7-9ed7-a5544a090081",
"type": "relationship",
"modified": "2019-09-04T14:32:12.856Z",
"created": "2019-09-04T14:28:16.000Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
"target_ref": "attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2",
"external_references": [
{
"description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
"url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
"source_name": "Lookout-Monokle"
}
],
"description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve nearby cell tower and Wi-Fi network information.(Citation: Lookout-Monokle)",
"relationship_type": "uses",
"id": "relationship--25cdb4f2-5b38-411c-bfb6-eca7ea4d4527",
"type": "relationship",
"modified": "2019-09-04T14:32:12.926Z",
"created": "2019-09-04T14:28:16.335Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"external_references": [
{
"description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
"url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
"source_name": "Lookout-Monokle"
}
],
"description": "[Monokle](https://attack.mitre.org/software/S0407) can list applications installed on the device.(Citation: Lookout-Monokle)",
"relationship_type": "uses",
"id": "relationship--f65087b4-adf2-4292-a711-7ae829e91397",
"type": "relationship",
"modified": "2019-09-04T14:32:12.877Z",
"created": "2019-09-04T14:28:16.385Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"external_references": [
{
"description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
"url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
"source_name": "Lookout-Monokle"
}
],
"description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve call history.(Citation: Lookout-Monokle)",
"relationship_type": "uses",
"id": "relationship--d63f27cf-95a3-42bb-86dd-dc18e22cb898",
"type": "relationship",
"modified": "2019-10-14T17:51:38.076Z",
"created": "2019-09-04T14:28:16.414Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"external_references": [
{
"description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
"url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
"source_name": "Lookout-Monokle"
}
],
"description": "[Monokle](https://attack.mitre.org/software/S0407) uses XOR to obfuscate its second stage binary.(Citation: Lookout-Monokle)",
"relationship_type": "uses",
"id": "relationship--12098dee-27b3-4d0b-a15a-6b5955ba8879",
"type": "relationship",
"modified": "2019-09-04T14:32:13.000Z",
"created": "2019-09-04T14:28:16.426Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
"target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
"external_references": [
{
"description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
"url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
"source_name": "Lookout-Monokle"
}
],
"description": "[Monokle](https://attack.mitre.org/software/S0407) can record the screen as the user unlocks the device and can take screenshots of any application in the foreground. [Monokle](https://attack.mitre.org/software/S0407) can also abuse accessibility features to read the screen to capture data from a large number of popular applications.(Citation: Lookout-Monokle)",
"relationship_type": "uses",
"id": "relationship--6556536c-d5ea-4a3d-ae48-4016d4d762ff",
"type": "relationship",
"modified": "2019-10-14T17:52:48.001Z",
"created": "2019-09-04T14:28:16.478Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
"target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
"external_references": [
{
"description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
"url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
"source_name": "Lookout-Monokle"
}
],
"description": "[Monokle](https://attack.mitre.org/software/S0407) can record the user's keystrokes.(Citation: Lookout-Monokle)",
"relationship_type": "uses",
"id": "relationship--34f9aed0-48a7-4815-8456-5541a7b8210f",
"type": "relationship",
"modified": "2019-10-14T17:51:38.140Z",
"created": "2019-09-04T14:28:16.487Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
"target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
"external_references": [
{
"description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.",
"url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf",
"source_name": "FortiGuard-FlexiSpy"
}
],
"description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can communicate with the command and control server over ports 12512 and 12514.(Citation: FortiGuard-FlexiSpy)",
"relationship_type": "uses",
"id": "relationship--9dec6b2f-790a-4da9-86c9-1f4b7141c32c",
"type": "relationship",
"modified": "2019-10-14T18:08:28.500Z",
"created": "2019-09-04T15:38:56.562Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"external_references": [
{
"description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.",
"url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf",
"source_name": "FortiGuard-FlexiSpy"
}
],
"description": "[FlexiSpy](https://attack.mitre.org/software/S0408) encrypts its configuration file using AES.(Citation: FortiGuard-FlexiSpy)",
"relationship_type": "uses",
"id": "relationship--a28a53e9-7a42-4f81-bced-0efbc3128cbd",
"type": "relationship",
"modified": "2019-09-10T14:59:25.979Z",
"created": "2019-09-04T15:38:56.597Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
"target_ref": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2",
"external_references": [
{
"description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.",
"url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf",
"source_name": "FortiGuard-FlexiSpy"
},
{
"source_name": "FlexiSpy-Features",
"url": "https://www.flexispy.com/en/features-overview.htm",
"description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019."
}
],
"description": " [FlexiSpy](https://attack.mitre.org/software/S0408) is capable of hiding SuperSU's icon if it is installed and visible.(Citation: FortiGuard-FlexiSpy) [FlexiSpy](https://attack.mitre.org/software/S0408) can also hide its own icon to make detection and the uninstallation process more difficult.(Citation: FlexiSpy-Features)",
"relationship_type": "uses",
"id": "relationship--8bc0abc2-a413-4c05-b2b8-2a92d9cc5556",
"type": "relationship",
"modified": "2019-09-10T14:59:26.077Z",
"created": "2019-09-04T15:38:56.678Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"external_references": [
{
"description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.",
"url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf",
"source_name": "FortiGuard-FlexiSpy"
}
],
"description": "[FlexiSpy](https://attack.mitre.org/software/S0408) installs boot hooks into `/system/su.d`.(Citation: FortiGuard-FlexiSpy)",
"relationship_type": "uses",
"id": "relationship--e135cefa-f019-479d-86eb-438972df73e0",
"type": "relationship",
"modified": "2019-09-10T14:59:26.079Z",
"created": "2019-09-04T15:38:56.702Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
"target_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"external_references": [
{
"description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.",
"url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf",
"source_name": "FortiGuard-FlexiSpy"
},
{
"description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.",
"url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf",
"source_name": "FortiGuard-FlexiSpy"
}
],
"description": "[FlexiSpy](https://attack.mitre.org/software/S0408) uses root access to establish reboot hooks to re-install the application from `/data/misc/adn`.(Citation: FortiGuard-FlexiSpy) At boot, [FlexiSpy](https://attack.mitre.org/software/S0408) spawns daemons for process monitoring, call monitoring, call managing, and system.(Citation: FortiGuard-FlexiSpy)",
"relationship_type": "uses",
"id": "relationship--bf19207a-ac71-436d-8ef4-4ab059b533c8",
"type": "relationship",
"modified": "2019-10-14T18:08:28.593Z",
"created": "2019-09-04T15:38:56.721Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"external_references": [
{
"source_name": "FortiGuard-FlexiSpy",
"url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf",
"description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019."
}
],
"description": "[FlexiSpy](https://attack.mitre.org/software/S0408) uses a `FileObserver` object to monitor the Skype and WeChat database file and shared preferences to retrieve chat messages, account information, and profile pictures of the account owner and chat participants. [FlexiSpy](https://attack.mitre.org/software/S0408) can also spy on popular applications, including Facebook, Hangouts, Hike, Instagram, Kik, Line, QQ, Snapchat, Telegram, Tinder, Viber, and WhatsApp.(Citation: FortiGuard-FlexiSpy)",
"relationship_type": "uses",
"id": "relationship--32be51e2-f74d-441f-aa0d-952697a76494",
"type": "relationship",
"modified": "2019-10-14T18:08:28.599Z",
"created": "2019-09-04T15:38:56.774Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"external_references": [
{
"source_name": "CyberMerchants-FlexiSpy",
"url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html",
"description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019."
}
],
"description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can record both incoming and outgoing phone calls, as well as microphone audio.(Citation: CyberMerchants-FlexiSpy)",
"relationship_type": "uses",
"id": "relationship--2e826926-fd5b-407c-adbc-e998058728d3",
"type": "relationship",
"modified": "2019-09-10T14:59:26.139Z",
"created": "2019-09-04T15:38:56.786Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
"target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
"external_references": [
{
"source_name": "CyberMerchants-FlexiSpy",
"url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html",
"description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019."
}
],
"description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can record video.(Citation: CyberMerchants-FlexiSpy)",
"relationship_type": "uses",
"id": "relationship--bd99b570-5966-4337-8ab4-2d6f4afd0f7f",
"type": "relationship",
"modified": "2019-09-10T14:59:26.138Z",
"created": "2019-09-04T15:38:56.799Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
"target_ref": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
"external_references": [
{
"source_name": "CyberMerchants-FlexiSpy",
"url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html",
"description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019."
}
],
"description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can delete data from a compromised device.(Citation: CyberMerchants-FlexiSpy)",
"relationship_type": "uses",
"id": "relationship--d7d78682-c9ad-4880-ae6e-3fc79f3737f1",
"type": "relationship",
"modified": "2019-09-10T14:59:26.072Z",
"created": "2019-09-04T15:38:56.809Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"external_references": [
{
"source_name": "CyberMerchants-FlexiSpy",
"url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html",
"description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019."
},
{
"source_name": "FlexiSpy-Features",
"url": "https://www.flexispy.com/en/features-overview.htm",
"description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019."
}
],
"description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can intercept SMS and MMS messages as well as monitor messages for keywords.(Citation: CyberMerchants-FlexiSpy)(Citation: FlexiSpy-Features)",
"relationship_type": "uses",
"id": "relationship--de45db46-2251-4a29-b4d7-3fcf679e9484",
"type": "relationship",
"modified": "2019-10-14T18:08:28.633Z",
"created": "2019-09-04T15:38:56.877Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"external_references": [
{
"source_name": "CyberMerchants-FlexiSpy",
"url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html",
"description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019."
}
],
"description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can collect device contacts.(Citation: CyberMerchants-FlexiSpy)",
"relationship_type": "uses",
"id": "relationship--edfb68d0-5efd-4fb5-93f9-c432535686cb",
"type": "relationship",
"modified": "2019-09-10T14:59:26.073Z",
"created": "2019-09-04T15:38:56.881Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
"target_ref": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb",
"external_references": [
{
"source_name": "CyberMerchants-FlexiSpy",
"url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html",
"description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019."
}
],
"description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can collect the device calendars.(Citation: CyberMerchants-FlexiSpy)",
"relationship_type": "uses",
"id": "relationship--4af26643-880f-4c34-a4a8-23e89b950c9d",
"type": "relationship",
"modified": "2019-09-10T14:59:26.134Z",
"created": "2019-09-04T15:38:56.883Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"external_references": [
{
"source_name": "CyberMerchants-FlexiSpy",
"url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html",
"description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019."
}
],
"description": " [FlexiSpy](https://attack.mitre.org/software/S0408) can track the device's location.(Citation: CyberMerchants-FlexiSpy)",
"relationship_type": "uses",
"id": "relationship--e03b0eb5-32c6-4867-9235-77fe32192983",
"type": "relationship",
"modified": "2019-09-10T14:59:26.071Z",
"created": "2019-09-04T15:38:56.916Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
"target_ref": "attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2",
"external_references": [
{
"source_name": "FlexiSpy-Features",
"url": "https://www.flexispy.com/en/features-overview.htm",
"description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019."
}
],
"description": " [FlexiSpy](https://attack.mitre.org/software/S0408) can collect a list of known Wi-Fi access points.(Citation: FlexiSpy-Features) ",
"relationship_type": "uses",
"id": "relationship--4449ac76-8329-4483-b152-99b990006cbc",
"type": "relationship",
"modified": "2019-09-10T14:59:26.067Z",
"created": "2019-09-04T15:38:56.937Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"external_references": [
{
"source_name": "FlexiSpy-Features",
"url": "https://www.flexispy.com/en/features-overview.htm",
"description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019."
}
],
"description": " [FlexiSpy](https://attack.mitre.org/software/S0408) can retrieve a list of installed applications.(Citation: FlexiSpy-Features) ",
"relationship_type": "uses",
"id": "relationship--c58a26af-cc4c-41a2-b884-9a4fa8a2ad5c",
"type": "relationship",
"modified": "2019-09-10T14:59:26.136Z",
"created": "2019-09-04T15:38:56.946Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
"target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
"external_references": [
{
"source_name": "FlexiSpy-Features",
"url": "https://www.flexispy.com/en/features-overview.htm",
"description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019."
}
],
"description": " [FlexiSpy](https://attack.mitre.org/software/S0408) can take screenshots of other applications.(Citation: FlexiSpy-Features) ",
"relationship_type": "uses",
"id": "relationship--2e2d1ffa-f6df-4d3c-b99b-f7b8baff53e8",
"type": "relationship",
"modified": "2019-09-10T14:59:26.171Z",
"created": "2019-09-04T15:38:56.994Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
"target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
"external_references": [
{
"source_name": "FlexiSpy-Features",
"url": "https://www.flexispy.com/en/features-overview.htm",
"description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019."
}
],
"description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can record keystrokes and analyze them for keywords.(Citation: FlexiSpy-Features)",
"relationship_type": "uses",
"id": "relationship--51bf6ffc-85c7-4910-8821-9736a1ec60f1",
"type": "relationship",
"modified": "2019-09-10T14:59:26.172Z",
"created": "2019-09-04T15:38:57.037Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
"relationship_type": "mitigates",
"description": "Enterprise policies should block access to the Android Debug Bridge (ADB) by preventing users from enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development). An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.",
"id": "relationship--2e797961-356f-4763-bdb2-0ebc2ad4c8b0",
"type": "relationship",
"modified": "2020-06-24T15:03:26.129Z",
"created": "2019-09-04T20:01:42.722Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1",
"target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
"relationship_type": "mitigates",
"description": "Application developers can apply `FLAG_SECURE` to sensitive screens within their apps to make it more difficult for the screen contents to be captured.(Citation: Nightwatch screencap April 2016)",
"id": "relationship--f9d0cfb5-aeda-4de4-9c72-7098297555ae",
"external_references": [
{
"source_name": "Nightwatch screencap April 2016",
"url": "https://wwws.nightwatchcybersecurity.com/2016/04/13/research-securing-android-applications-from-screen-capture/",
"description": "Nightwatch Cybersecurity. (2016, April 13). Research: Securing Android Applications from Screen Capture (FLAG_SECURE). Retrieved November 5, 2019."
}
],
"type": "relationship",
"modified": "2020-06-24T15:03:26.126Z",
"created": "2019-09-04T20:01:42.753Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
"relationship_type": "mitigates",
"description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.",
"id": "relationship--3dff770d-9627-4647-b945-7f24a97b2273",
"type": "relationship",
"modified": "2020-06-24T15:02:13.533Z",
"created": "2019-09-15T15:26:22.926Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1",
"target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
"relationship_type": "mitigates",
"description": "Application developers could be encouraged to avoid placing sensitive data in notification text.",
"id": "relationship--5a96d87e-f70e-49dc-a272-c98aad672ce0",
"type": "relationship",
"modified": "2020-07-09T14:07:02.315Z",
"created": "2019-09-15T15:32:17.563Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
"relationship_type": "mitigates",
"description": "On Android devices with a managed work profile (enterprise managed portion of the device), the `DevicePolicyManager.setPermittedCrossProfileNotificationListeners` method can be used to manage the list of applications (including setting it to an empty list) running within the primary user (personal side of the device) that can see notifications occurring within the managed profile. However, this policy only affects notifications generated within the managed profile, not by the rest of the device. The `DevicePolicyManager.setApplicationHidden` method can be used to disable unwanted applications that are accessing notifications, but using this method would block that entire application from running.(Citation: Android Notification Listeners)",
"id": "relationship--f4f4660c-6324-4da4-be2f-ac87fda85a45",
"external_references": [
{
"source_name": "Android Notification Listeners",
"url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setPermittedCrossProfileNotificationListeners(android.content.ComponentName,%20java.util.List%3Cjava.lang.String%3E)",
"description": "Android. (n.d.). DevicePolicyManager. Retrieved September 15, 2019."
}
],
"type": "relationship",
"modified": "2020-07-09T14:07:02.320Z",
"created": "2019-09-15T15:32:17.580Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
"target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
"external_references": [
{
"description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
"url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
"source_name": "Talos Gustuff Apr 2019"
}
],
"description": "[Gustuff](https://attack.mitre.org/software/S0406) injects the global action `GLOBAL_ACTION_BACK` to mimic pressing the back button to close the application if a call to an open antivirus application is detected.(Citation: Talos Gustuff Apr 2019)",
"relationship_type": "uses",
"id": "relationship--cacc0b72-9d73-4381-90e9-545ba908722c",
"type": "relationship",
"modified": "2019-09-15T15:35:33.215Z",
"created": "2019-09-15T15:35:33.215Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"relationship_type": "mitigates",
"description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.",
"id": "relationship--955942ac-cb07-45e3-8ff1-1a2113c6aa49",
"type": "relationship",
"modified": "2020-06-24T15:04:20.674Z",
"created": "2019-09-18T19:04:47.108Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"relationship_type": "mitigates",
"description": "On Android 10 and above devices, applications that target Android API level 29 or higher cannot execute native code stored in the application's internal data storage directory, limiting the ability of applications to download and execute native code at runtime.(Citation: Android 10 Execute)",
"id": "relationship--3ebdc17d-401e-4f6a-af51-2dc57437b817",
"external_references": [
{
"source_name": "Android 10 Execute",
"url": "https://developer.android.com/about/versions/10/behavior-changes-all#execute-permission",
"description": "Android Developers. (n.d.). Behavior changes: all apps - Removed execute permission for app home directory. Retrieved September 20, 2019."
}
],
"type": "relationship",
"modified": "2019-10-09T19:40:52.483Z",
"created": "2019-09-20T18:03:57.062Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
"target_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"external_references": [
{
"description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
"url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
"source_name": "securelist rotexy 2018"
}
],
"description": "[Rotexy](https://attack.mitre.org/software/S0411) can be controlled through SMS messages.(Citation: securelist rotexy 2018)",
"relationship_type": "uses",
"id": "relationship--3272111a-f31d-47d5-a266-1749255b5016",
"type": "relationship",
"modified": "2019-09-23T13:36:08.335Z",
"created": "2019-09-23T13:36:08.335Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"external_references": [
{
"description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
"url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
"source_name": "securelist rotexy 2018"
}
],
"description": "[Rotexy](https://attack.mitre.org/software/S0411) can communicate with the command and control server using JSON payloads sent in HTTP POST request bodies. It can also communicate by using JSON messages sent through Google Cloud Messaging.(Citation: securelist rotexy 2018)",
"relationship_type": "uses",
"id": "relationship--8570b7ef-a84d-480e-b1ca-b15f15d12103",
"type": "relationship",
"modified": "2019-10-14T20:49:24.648Z",
"created": "2019-09-23T13:36:08.341Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"external_references": [
{
"description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
"url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
"source_name": "securelist rotexy 2018"
}
],
"description": "[Rotexy](https://attack.mitre.org/software/S0411) collects the device's IMEI and sends it to the command and control server.(Citation: securelist rotexy 2018)",
"relationship_type": "uses",
"id": "relationship--ca4eb452-4a2f-41d7-a015-81f43e96737e",
"type": "relationship",
"modified": "2019-09-23T13:36:08.386Z",
"created": "2019-09-23T13:36:08.386Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"external_references": [
{
"description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
"url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
"source_name": "securelist rotexy 2018"
}
],
"description": "Starting in 2017, the [Rotexy](https://attack.mitre.org/software/S0411) DEX file was packed with garbage strings and/or operations.(Citation: securelist rotexy 2018)",
"relationship_type": "uses",
"id": "relationship--a8dd6ed7-910d-4bae-a2a8-19f3f32c915c",
"type": "relationship",
"modified": "2019-10-14T20:49:24.646Z",
"created": "2019-09-23T13:36:08.390Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"external_references": [
{
"description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
"url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
"source_name": "securelist rotexy 2018"
}
],
"description": "[Rotexy](https://attack.mitre.org/software/S0411) processes incoming SMS messages by filtering based on phone numbers, keywords, and regular expressions, focusing primarily on banks, payment systems, and mobile network operators. [Rotexy](https://attack.mitre.org/software/S0411) can also send a list of all SMS messages on the device to the command and control server.(Citation: securelist rotexy 2018)",
"relationship_type": "uses",
"id": "relationship--b30fa851-75cf-46ac-aa1b-cfa8b7f36545",
"type": "relationship",
"modified": "2020-09-11T15:53:38.503Z",
"created": "2019-09-23T13:36:08.429Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"external_references": [
{
"description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
"url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
"source_name": "securelist rotexy 2018"
}
],
"description": "[Rotexy](https://attack.mitre.org/software/S0411) retrieves a list of installed applications and sends it to the command and control server.(Citation: securelist rotexy 2018)",
"relationship_type": "uses",
"id": "relationship--8ec03f4c-5ed8-4c25-956c-3ee6c777a5cc",
"type": "relationship",
"modified": "2019-09-23T13:36:08.441Z",
"created": "2019-09-23T13:36:08.441Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"external_references": [
{
"description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
"url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
"source_name": "securelist rotexy 2018"
}
],
"description": "[Rotexy](https://attack.mitre.org/software/S0411) is distributed through phishing links sent in SMS messages as `AvitoPay.apk`.(Citation: securelist rotexy 2018)",
"relationship_type": "uses",
"id": "relationship--cbde808a-08b3-4afc-bb87-21acc4b767c1",
"type": "relationship",
"modified": "2019-10-14T20:49:24.632Z",
"created": "2019-09-23T13:36:08.445Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"external_references": [
{
"description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
"url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
"source_name": "securelist rotexy 2018"
}
],
"description": "[Rotexy](https://attack.mitre.org/software/S0411) collects information about the compromised device, including phone number, network operator, OS version, device model, and the device registration country.(Citation: securelist rotexy 2018)",
"relationship_type": "uses",
"id": "relationship--ee9c1a8c-5f84-4571-8518-300a6412df0f",
"type": "relationship",
"modified": "2019-10-15T19:56:50.651Z",
"created": "2019-09-23T13:36:08.448Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
"target_ref": "attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de",
"external_references": [
{
"description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
"url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
"source_name": "securelist rotexy 2018"
}
],
"description": "[Rotexy](https://attack.mitre.org/software/S0411) procedurally generates subdomains for command and control communication.(Citation: securelist rotexy 2018)",
"relationship_type": "uses",
"id": "relationship--5e74f4f8-5057-42f4-9796-aee60122cf6d",
"type": "relationship",
"modified": "2019-10-14T20:49:24.690Z",
"created": "2019-09-23T13:36:08.451Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
"target_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"external_references": [
{
"description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
"url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
"source_name": "securelist rotexy 2018"
}
],
"description": "[Rotexy](https://attack.mitre.org/software/S0411) can lock an HTML page in the foreground, requiring the user enter credit card information that matches information previously intercepted in SMS messages, such as the last 4 digits of a credit card number. If attempts to revoke administrator permissions are detected, [Rotexy](https://attack.mitre.org/software/S0411) periodically switches off the phone screen to inhibit permission removal.(Citation: securelist rotexy 2018)",
"relationship_type": "uses",
"id": "relationship--dcae3b7c-27d2-4377-9dc6-59dae15ac962",
"type": "relationship",
"modified": "2019-09-23T13:36:08.456Z",
"created": "2019-09-23T13:36:08.456Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"external_references": [
{
"description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
"url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
"source_name": "securelist rotexy 2018"
}
],
"description": "[Rotexy](https://attack.mitre.org/software/S0411) can use phishing overlays to capture users' credit card information.(Citation: securelist rotexy 2018)",
"relationship_type": "uses",
"id": "relationship--a2365c91-60f6-4249-af13-6bc2fdb80d52",
"type": "relationship",
"modified": "2019-09-23T13:36:08.459Z",
"created": "2019-09-23T13:36:08.459Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
"target_ref": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2",
"external_references": [
{
"description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
"url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
"source_name": "securelist rotexy 2018"
}
],
"description": "[Rotexy](https://attack.mitre.org/software/S0411) hides its icon after first launch.(Citation: securelist rotexy 2018)",
"relationship_type": "uses",
"id": "relationship--9951d8c0-d210-4776-808b-421b613f244f",
"type": "relationship",
"modified": "2019-09-23T13:36:08.463Z",
"created": "2019-09-23T13:36:08.463Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"external_references": [
{
"description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
"url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
"source_name": "securelist rotexy 2018"
}
],
"description": "[Rotexy](https://attack.mitre.org/software/S0411) can access and upload the contacts list to the command and control server.(Citation: securelist rotexy 2018)",
"relationship_type": "uses",
"id": "relationship--299931f0-4c60-4a9b-8a6a-4adb6362e590",
"type": "relationship",
"modified": "2019-10-14T20:49:24.705Z",
"created": "2019-09-23T13:36:08.543Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
"target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84",
"external_references": [
{
"description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
"url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
"source_name": "securelist rotexy 2018"
}
],
"description": " [Rotexy](https://attack.mitre.org/software/S0411) encrypts JSON HTTP payloads with AES.(Citation: securelist rotexy 2018) ",
"relationship_type": "uses",
"id": "relationship--efd35b6f-7a61-4998-97ff-608547e40f66",
"type": "relationship",
"modified": "2019-10-01T14:23:44.054Z",
"created": "2019-10-01T14:23:44.054Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
"target_ref": "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b",
"external_references": [
{
"description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
"url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
"source_name": "securelist rotexy 2018"
}
],
"description": " [Rotexy](https://attack.mitre.org/software/S0411) checks if it is running in an analysis environment.(Citation: securelist rotexy 2018) ",
"relationship_type": "uses",
"id": "relationship--4fc165fd-185e-4c70-b423-c242cf715510",
"type": "relationship",
"modified": "2019-10-07T16:32:27.127Z",
"created": "2019-10-07T16:32:27.127Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
"target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
"external_references": [
{
"source_name": "SWB Exodus March 2019",
"url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
"description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
}
],
"description": "[Exodus](https://attack.mitre.org/software/S0405) One encrypts data using XOR prior to exfiltration.(Citation: SWB Exodus March 2019) ",
"relationship_type": "uses",
"id": "relationship--10e02179-0434-4d4b-86b4-5d9fbc5d5451",
"type": "relationship",
"modified": "2019-10-10T15:03:27.682Z",
"created": "2019-10-10T15:03:27.682Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
"target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"external_references": [
{
"source_name": "SWB Exodus March 2019",
"url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
"description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
}
],
"description": "[Exodus](https://attack.mitre.org/software/S0405) Two can extract information on pictures from the Gallery, Chrome and SBrowser bookmarks, and the connected WiFi network's password.(Citation: SWB Exodus March 2019)",
"relationship_type": "uses",
"id": "relationship--e9b262ba-1c32-40b3-8622-121b30d6df50",
"type": "relationship",
"modified": "2019-10-10T15:14:57.378Z",
"created": "2019-10-10T15:14:57.378Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
"target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"external_references": [
{
"description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.",
"url": "https://www.flexispy.com/en/features-overview.htm",
"source_name": "FlexiSpy-Features"
}
],
"description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can monitor device photos and can also access browser history and bookmarks.(Citation: FlexiSpy-Features)",
"relationship_type": "uses",
"id": "relationship--75472bf8-c7fd-4fc7-a11e-74189bc23b78",
"type": "relationship",
"modified": "2019-10-14T18:08:28.666Z",
"created": "2019-10-10T15:17:00.972Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"external_references": [
{
"source_name": "TrendMicro-RCSAndroid",
"description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
}
],
"description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can collect passwords for Wi-Fi networks and online accounts, including Skype, Facebook, Twitter, Google, WhatsApp, Mail, and LinkedIn.(Citation: TrendMicro-RCSAndroid)",
"relationship_type": "uses",
"id": "relationship--a76d731b-484c-442a-b1a3-255d8398aefd",
"type": "relationship",
"modified": "2019-10-10T15:22:52.545Z",
"created": "2019-10-10T15:22:52.545Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a",
"target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"source_name": "Lookout-StealthMango"
}
],
"description": "[Tangelo](https://attack.mitre.org/software/S0329) accesses browser history, pictures, and videos.(Citation: Lookout-StealthMango)",
"relationship_type": "uses",
"id": "relationship--bf901bab-3caa-4d05-a859-d9fb4d838304",
"type": "relationship",
"modified": "2019-10-10T15:27:22.091Z",
"created": "2019-10-10T15:27:22.091Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
"target_ref": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2",
"external_references": [
{
"description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named \u00abGustuff\u00bb capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.",
"url": "https://www.group-ib.com/blog/gustuff",
"source_name": "Group IB Gustuff Mar 2019"
}
],
"description": "[Gustuff](https://attack.mitre.org/software/S0406) hides its icon after installation.(Citation: Group IB Gustuff Mar 2019) ",
"relationship_type": "uses",
"id": "relationship--b0d0541d-caeb-43c0-906c-2e1e2ec25f69",
"type": "relationship",
"modified": "2019-10-14T19:14:18.673Z",
"created": "2019-10-14T19:14:18.673Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
"target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
"external_references": [
{
"description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
"url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
"source_name": "securelist rotexy 2018"
}
],
"description": "[Rotexy](https://attack.mitre.org/software/S0411) collects information about running processes.(Citation: securelist rotexy 2018)",
"relationship_type": "uses",
"id": "relationship--9d4c1d68-3cc8-4cf9-b3ee-1525d0ce32de",
"type": "relationship",
"modified": "2019-10-14T20:49:24.571Z",
"created": "2019-10-14T20:49:24.571Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"external_references": [
{
"source_name": "Kaspersky-Skygofree",
"description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.",
"url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"
}
],
"description": "[Skygofree](https://attack.mitre.org/software/S0327) can track the device's location.(Citation: Kaspersky-Skygofree)",
"relationship_type": "uses",
"id": "relationship--3c3c957e-7a23-4801-9f6a-ba599ad727d7",
"type": "relationship",
"modified": "2019-10-15T19:33:42.204Z",
"created": "2019-10-15T19:33:42.204Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"description": "Decrease likelihood of successful privilege escalation attack.",
"relationship_type": "mitigates",
"id": "relationship--e3940ca1-1a78-4440-97a3-c9990151cc6a",
"type": "relationship",
"modified": "2019-10-18T14:50:57.402Z",
"created": "2019-10-18T14:50:57.402Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3",
"relationship_type": "mitigates",
"id": "relationship--a976221c-7ed2-4e4e-a8db-ca87d49fb5eb",
"type": "relationship",
"modified": "2019-10-18T14:56:15.771Z",
"created": "2019-10-18T14:50:57.430Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--a0464539-e1b7-4455-a355-12495987c300",
"relationship_type": "mitigates",
"id": "relationship--08327d65-1a15-4d65-961f-4c088c971a25",
"type": "relationship",
"modified": "2019-10-18T14:56:15.802Z",
"created": "2019-10-18T14:50:57.432Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"relationship_type": "mitigates",
"id": "relationship--ccdc17ba-eced-40df-ab9d-7734e0e9243c",
"type": "relationship",
"modified": "2019-10-18T14:56:15.814Z",
"created": "2019-10-18T14:50:57.435Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6",
"relationship_type": "mitigates",
"id": "relationship--e9f2a3ac-162c-4fa0-b23a-0da5746344bc",
"type": "relationship",
"modified": "2019-10-18T14:56:15.813Z",
"created": "2019-10-18T14:50:57.437Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
"relationship_type": "mitigates",
"id": "relationship--2f1e5d77-0054-4f8a-8e01-7c0318278a76",
"type": "relationship",
"modified": "2019-10-18T14:56:15.838Z",
"created": "2019-10-18T14:50:57.472Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
"relationship_type": "mitigates",
"id": "relationship--cc81b56c-cf73-4307-b950-e80246985195",
"type": "relationship",
"modified": "2019-10-18T14:56:15.831Z",
"created": "2019-10-18T14:50:57.473Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884",
"relationship_type": "mitigates",
"id": "relationship--5aaf8838-d4c3-4d11-b70a-0dc1e72c3c07",
"type": "relationship",
"modified": "2019-10-18T14:56:15.841Z",
"created": "2019-10-18T14:50:57.475Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"relationship_type": "mitigates",
"id": "relationship--13518e48-bb32-4ee3-9cd0-e5f367a2fb2d",
"type": "relationship",
"modified": "2019-10-18T14:56:15.812Z",
"created": "2019-10-18T14:50:57.491Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"relationship_type": "mitigates",
"id": "relationship--f95fec2e-f5cf-49c9-8e0b-1c6c5fd15d8f",
"type": "relationship",
"modified": "2019-10-18T14:56:15.878Z",
"created": "2019-10-18T14:50:57.494Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5",
"relationship_type": "mitigates",
"id": "relationship--9c8bbd04-0e12-4066-a276-feec87db8271",
"type": "relationship",
"modified": "2019-10-18T14:56:15.877Z",
"created": "2019-10-18T14:50:57.496Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6",
"relationship_type": "mitigates",
"id": "relationship--254a8d5f-8431-4364-96db-d34d740e1384",
"type": "relationship",
"modified": "2019-10-18T14:56:15.879Z",
"created": "2019-10-18T14:50:57.509Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
"relationship_type": "mitigates",
"id": "relationship--3c0b0763-78d2-4d6e-8e57-b4f27af7e414",
"type": "relationship",
"modified": "2019-10-18T14:56:15.863Z",
"created": "2019-10-18T14:50:57.521Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"relationship_type": "mitigates",
"id": "relationship--16a68568-f240-47f4-9f0c-5b4de449b5d6",
"type": "relationship",
"modified": "2019-10-18T14:56:15.909Z",
"created": "2019-10-18T14:50:57.524Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468",
"relationship_type": "mitigates",
"id": "relationship--4ed2e379-ce9c-44b2-b862-666b0b008427",
"type": "relationship",
"modified": "2019-10-18T14:56:15.913Z",
"created": "2019-10-18T14:50:57.564Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9",
"relationship_type": "mitigates",
"id": "relationship--02f9a60a-2115-4c43-b9c2-c49809fb9e76",
"type": "relationship",
"modified": "2019-10-18T14:56:15.911Z",
"created": "2019-10-18T14:50:57.566Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c",
"target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
"relationship_type": "mitigates",
"id": "relationship--92879f0e-d1db-4407-9cc6-c1dbcc47caea",
"type": "relationship",
"modified": "2019-10-18T14:52:53.193Z",
"created": "2019-10-18T14:52:53.193Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
"description": "Enterprises could perform app vetting before allowing apps to be installed on devices and search for abuse of accessibility features as part of the analysis, or otherwise use mobile app reputation services to search for known malicious apps.",
"relationship_type": "mitigates",
"id": "relationship--e8dac11f-8c51-4b80-9ada-db15ff5f1114",
"type": "relationship",
"modified": "2020-03-30T14:03:43.942Z",
"created": "2019-10-18T15:11:37.091Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483",
"external_references": [
{
"url": "https://www.blackhat.com/docs/eu-16/materials/eu-16-Maggi-Pocket-Sized-Badness-Why-Ransomware-Comes-As-A-Plot-Twist-In-The-Cat-Mouse-Game.pdf",
"description": "Federico Maggi and Stefano Zanero. (2016). Pocket-Sized Badness - Why Ransomware Comes as a Plot Twist in the Cat-Mouse Game. Retrieved December 21, 2016.",
"source_name": "Maggi-Ransomware"
}
],
"description": "It is rare for applications to utilize Device Administrator access. App vetting can detect apps that do so, and those apps should be closely scrutinized. A static analysis approach can be used to identify ransomware apps including apps that abuse Device Administrator access.(Citation: Maggi-Ransomware)",
"relationship_type": "mitigates",
"id": "relationship--5592b50e-a184-4a75-8501-99072d3a5b5f",
"type": "relationship",
"modified": "2019-10-18T15:11:37.106Z",
"created": "2019-10-18T15:11:37.106Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb",
"description": "On Android, accessing device calendar data requires that the app hold the READ_CALENDAR permission. Apps that request this permission could be closely scrutinized to ensure that the request is appropriate. On iOS, the app vetting process can determine whether apps access device calendar data, with extra scrutiny applied to any that do so.",
"relationship_type": "mitigates",
"id": "relationship--d5110dc7-ffcc-4c8b-ad09-8697ad2f64e3",
"type": "relationship",
"modified": "2019-10-18T15:11:37.179Z",
"created": "2019-10-18T15:11:37.179Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"description": "On Android, accessing the device call log requires that the app hold the READ_CALL_LOG permission. Apps that request this permission could be closely scrutinized to ensure that the request is appropriate.",
"relationship_type": "mitigates",
"id": "relationship--d7b22dc7-24fa-4036-befb-83fc2eeab6f6",
"type": "relationship",
"modified": "2019-10-18T15:11:37.181Z",
"created": "2019-10-18T15:11:37.181Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"description": "Enterprises performing application vetting could search for applications that declare the RECEIVE_SMS permission and scrutinize them closely.",
"relationship_type": "mitigates",
"id": "relationship--c9ece136-83fe-446f-abde-f3f30a5ceaa3",
"type": "relationship",
"modified": "2019-10-18T15:11:37.223Z",
"created": "2019-10-18T15:11:37.223Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
"relationship_type": "mitigates",
"id": "relationship--376b8f2a-636e-4fa7-be6a-4300410c1954",
"type": "relationship",
"modified": "2019-10-18T15:33:18.713Z",
"created": "2019-10-18T15:11:37.225Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
"description": "Application vetting techniques could be used to attempt to identify applications with this behavior.",
"relationship_type": "mitigates",
"id": "relationship--275a0930-7409-4238-a072-f194cbd84057",
"type": "relationship",
"modified": "2019-10-18T15:11:37.227Z",
"created": "2019-10-18T15:11:37.227Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"description": "App store operators and enterprises could assess reputational characteristics of the app, including the popularity of the app or other apps from the same developer and whether or not security issues have been found in other apps from the same developer.",
"relationship_type": "mitigates",
"id": "relationship--737b3964-d09c-4e62-94bc-208302402c9b",
"type": "relationship",
"modified": "2019-10-18T15:11:37.248Z",
"created": "2019-10-18T15:11:37.248Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884",
"relationship_type": "mitigates",
"id": "relationship--1121d23e-a20a-4de2-a1d6-e0d519664850",
"type": "relationship",
"modified": "2019-10-18T15:33:18.727Z",
"created": "2019-10-18T15:11:37.251Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"description": "Application vetting techniques may be able to alert to the presence of obfuscated or encrypted code in applications, and such applications could have extra scrutiny applied. Unfortunately, this mitigation is likely impractical, as many legitimate applications apply code obfuscation or encryption to resist adversary techniques such as Repackaged Application. Dynamic analysis when used in application vetting may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.",
"relationship_type": "mitigates",
"id": "relationship--bd41c8b6-b587-4531-b015-55fdb357cb25",
"type": "relationship",
"modified": "2019-10-18T15:11:37.252Z",
"created": "2019-10-18T15:11:37.252Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
"description": "During application vetting, applications could be examined to see if they have this behavior, and extra scrutiny could potentially be given to applications that do.",
"relationship_type": "mitigates",
"id": "relationship--94b368c8-7983-4f42-983b-3b89fb824943",
"type": "relationship",
"modified": "2019-10-18T15:11:37.254Z",
"created": "2019-10-18T15:11:37.254Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"description": "On Android, accessing the device contact list requires that the app hold the READ_CONTACTS permission. Apps that request this permission could be closely scrutinized to ensure that the request is appropriate. On iOS, the app vetting process can determine whether apps access the device contact list, with extra scrutiny applied to any that do so.",
"relationship_type": "mitigates",
"id": "relationship--208c99ae-cc99-4172-89e7-3503600a9338",
"type": "relationship",
"modified": "2019-10-18T15:11:37.257Z",
"created": "2019-10-18T15:11:37.257Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"description": "App vetting procedures can search for apps that use the android.os.Build class, but these procedures could potentially be evaded and are likely not practical in this case, as many apps are likely to use this functionality as part of their legitimate behavior.",
"relationship_type": "mitigates",
"id": "relationship--fad69d13-2611-43b7-ad06-55489011f182",
"type": "relationship",
"modified": "2019-11-20T19:56:49.439Z",
"created": "2019-10-18T15:11:37.258Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"description": "Application vetting may be able to identify the presence of exploit code within applications.",
"relationship_type": "mitigates",
"id": "relationship--fedd60df-8d71-4799-8e94-73a3fd9700de",
"type": "relationship",
"modified": "2019-10-18T15:11:37.260Z",
"created": "2019-10-18T15:11:37.260Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9",
"description": "Closely scrutinize applications that request VPN access before allowing their use.",
"relationship_type": "mitigates",
"id": "relationship--b2c43f7d-f0df-46f8-9257-40ded1948307",
"type": "relationship",
"modified": "2019-10-18T15:11:37.261Z",
"created": "2019-10-18T15:11:37.261Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3",
"relationship_type": "mitigates",
"id": "relationship--ebbae7c2-fd79-4191-9369-e3b35283d4e1",
"type": "relationship",
"modified": "2019-10-18T15:33:18.868Z",
"created": "2019-10-18T15:11:37.266Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
"relationship_type": "mitigates",
"id": "relationship--1f5ce357-f273-4a97-9086-b74652063372",
"description": "Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.",
"type": "relationship",
"modified": "2019-10-18T15:33:18.848Z",
"created": "2019-10-18T15:11:37.267Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"description": "Application vetting techniques could (either statically or dynamically) look for indications that the application downloads and executes new code at runtime (e.g., on Android use of DexClassLoader, System.load, or the WebView JavaScriptInterface capability, or on iOS use of JSPatch or similar capabilities). Unfortunately, this is only a partial mitigation, as additional scrutiny would still need to be applied to applications that use these techniques, as the techniques are often used without malicious intent, and because applications may employ other techniques such as to hide their use of these techniques.",
"relationship_type": "mitigates",
"id": "relationship--62c3656a-e771-4da1-80f9-2c93fc42e7ec",
"type": "relationship",
"modified": "2019-10-18T15:11:37.270Z",
"created": "2019-10-18T15:11:37.270Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"description": "On Android, applications must request the ACCESS_COARSE_LOCATION or ACCESS_FINE_LOCATION permission to access the device's physical location. Extra scrutiny could be given to applications that request these permissions. On iOS, calls to the relevant APIs could be detected during the vetting process.",
"relationship_type": "mitigates",
"id": "relationship--4727b752-0dc3-49b7-9fb1-2909ee560836",
"type": "relationship",
"modified": "2019-10-18T15:11:37.271Z",
"created": "2019-10-18T15:11:37.271Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"description": "Application vetting could be used to analyze applications to determine whether they access this information, including determining whether the application requests the Android ACCESS_NETWORK_STATE permission (required in order to access NetworkInterface information) or the READ_PHONE_STATE permission (required in order to access TelephonyManager information).",
"relationship_type": "mitigates",
"id": "relationship--9047dd87-40da-4d01-a4fd-23cc56df6a08",
"type": "relationship",
"modified": "2020-06-02T14:35:01.824Z",
"created": "2019-10-18T15:11:37.273Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"description": "Application vetting techniques could search for use of the Android PackageManager class to enumerate other apps, and such applications could have extra scrutiny applied to them. However, this technique may not be practical if many apps invoke these methods as part of their legitimate behavior. On iOS, application vetting techniques could similarly search for use of the private API call necessary to obtain a list of apps installed on the device. Additionally, on iOS, use of the private API call is likely to result in the app not being accepted into Apple's App Store.",
"relationship_type": "mitigates",
"id": "relationship--4386e7d1-f21f-4055-9468-6af209ec4731",
"type": "relationship",
"modified": "2019-10-18T15:11:37.277Z",
"created": "2019-10-18T15:11:37.277Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
"relationship_type": "mitigates",
"id": "relationship--a62f9f72-d5a6-4e12-ac53-62bd4c81aa4d",
"description": "Application vetting services can check for applications that request SMS permissions, and can provide extra scrutiny to those that do.",
"type": "relationship",
"modified": "2020-05-04T15:38:57.137Z",
"created": "2019-10-18T15:11:37.282Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e",
"external_references": [
{
"url": "https://developer.apple.com/library/content/documentation/General/Conceptual/AppSearch/UniversalLinks.html",
"description": "Apple. (n.d.). Support Universal Links. Retrieved December 21, 2016.",
"source_name": "Apple-UniversalLinks"
},
{
"source_name": "IETF-OAuthNativeApps",
"description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.",
"url": "https://tools.ietf.org/html/rfc8252"
}
],
"description": "Check for potential malicious definitions of URL schemes when vetting applications. Also, when examining apps for potential vulnerabilities, encourage use of universal links as an alternative to URL schemes. When examining apps that use OAuth, encourage use of best practices.(Citation: Apple-UniversalLinks)(Citation: IETF-OAuthNativeApps)",
"relationship_type": "mitigates",
"id": "relationship--2e58b22f-b889-49fd-bbe1-37a907a5fcb1",
"type": "relationship",
"modified": "2020-10-23T15:05:40.932Z",
"created": "2019-10-18T15:11:37.264Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58",
"external_references": [
{
"source_name": "IETF-OAuthNativeApps",
"description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.",
"url": "https://tools.ietf.org/html/rfc8252"
},
{
"url": "https://developer.android.com/training/app-links/index.html",
"description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.",
"source_name": "Android-AppLinks"
}
],
"description": "When vetting applications for potential security weaknesses, the vetting process could look for insecure use of intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or the App Links feature added in Android 6.0). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)",
"relationship_type": "mitigates",
"id": "relationship--c8516d70-8992-4946-90b3-37435be40822",
"type": "relationship",
"modified": "2020-10-01T12:42:21.946Z",
"created": "2019-10-18T15:11:37.274Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4",
"external_references": [
{
"url": "https://www.blackhat.com/docs/eu-16/materials/eu-16-Maggi-Pocket-Sized-Badness-Why-Ransomware-Comes-As-A-Plot-Twist-In-The-Cat-Mouse-Game.pdf",
"description": "Federico Maggi and Stefano Zanero. (2016). Pocket-Sized Badness - Why Ransomware Comes as a Plot Twist in the Cat-Mouse Game. Retrieved December 21, 2016.",
"source_name": "Maggi-Ransomware"
}
],
"description": "A static analysis approach may be able to identify ransomware apps that encrypt user files on the device.(Citation: Maggi-Ransomware)",
"relationship_type": "mitigates",
"id": "relationship--12332d52-6fd2-47a6-a3b5-d673150a9d12",
"type": "relationship",
"modified": "2019-10-18T15:11:37.278Z",
"created": "2019-10-18T15:11:37.278Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63",
"external_references": [
{
"url": "https://support.google.com/faqs/answer/6346016?hl=en",
"description": "Google. (n.d.). How to fix apps containing an unsafe implementation of TrustManager. Retrieved December 24, 2016.",
"source_name": "Google-TrustManager"
}
],
"description": "Application vetting techniques can scan for use of cleartext communication, insecure TrustManager implementations, and other potential network communication weaknesses. The Google Play Store now automatically assesses submitted applications for insecure TrustManager implementations.(Citation: Google-TrustManager)",
"relationship_type": "mitigates",
"id": "relationship--d625bbc3-317c-4f94-a1b6-d51d03d20109",
"type": "relationship",
"modified": "2019-10-18T15:11:37.280Z",
"created": "2019-10-18T15:11:37.280Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
"description": "Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs.",
"relationship_type": "mitigates",
"id": "relationship--2c2a572c-92d1-47aa-9809-4a470cfae83c",
"type": "relationship",
"modified": "2019-10-18T15:33:18.550Z",
"created": "2019-10-18T15:33:18.550Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
"description": "Applications that register an accessibility service should be scrutinized further for malicious behavior.",
"relationship_type": "mitigates",
"id": "relationship--52a18c72-4370-485b-9a40-837eeddffd0d",
"type": "relationship",
"modified": "2020-06-24T15:02:13.531Z",
"created": "2019-10-18T15:33:18.568Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"external_references": [
{
"source_name": "Maggi-Ransomware",
"description": "Federico Maggi and Stefano Zanero. (2016). Pocket-Sized Badness - Why Ransomware Comes as a Plot Twist in the Cat-Mouse Game. Retrieved December 21, 2016.",
"url": "https://www.blackhat.com/docs/eu-16/materials/eu-16-Maggi-Pocket-Sized-Badness-Why-Ransomware-Comes-As-A-Plot-Twist-In-The-Cat-Mouse-Game.pdf"
}
],
"description": "It is rare for applications to utilize Device Administrator access. App vetting can detect apps that do so, and those apps should be closely scrutinized. A static analysis approach can be used to identify ransomware apps including apps that abuse Device Administrator access.(Citation: Maggi-Ransomware)",
"relationship_type": "mitigates",
"id": "relationship--535113f0-0a0b-4a2e-b812-bba3fe995c0b",
"type": "relationship",
"modified": "2019-10-18T15:33:18.566Z",
"created": "2019-10-18T15:33:18.566Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
"description": "Applications that attempt to register themselves as a device keyboard or request the `android.permission.BIND_ACCESSIBILITY_SERVICE` permission in a service declaration should be closely scrutinized during the vetting process.",
"relationship_type": "mitigates",
"id": "relationship--db2bbb61-e931-4059-97c8-863dff44b708",
"type": "relationship",
"modified": "2020-06-24T15:09:12.627Z",
"created": "2019-10-18T15:33:18.624Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"description": "Applications using the android permission `android.permission.RECORD_AUDIO` or iOS applications using `RequestRecordPermission` could be more closely scrutinized and monitored. If `android.permission.CAPTURE_AUDIO_OUTPUT` is found in a third-party application, it should be heavily scrutinized.",
"relationship_type": "mitigates",
"id": "relationship--8ea95198-d36f-44fd-a4a9-195237a0ed5e",
"type": "relationship",
"modified": "2019-10-18T15:33:18.625Z",
"created": "2019-10-18T15:33:18.625Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"description": "Ensure applications do not store data in an insecure fashion, such as in unprotected external storage, without acknowledging the risk that the data can potentially be accessed or modified by other applications.",
"relationship_type": "mitigates",
"id": "relationship--f0becdb8-2772-4848-be23-8e821067ada5",
"type": "relationship",
"modified": "2019-10-18T15:33:18.628Z",
"created": "2019-10-18T15:33:18.628Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b",
"description": "Applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands should be closely scrutinized. Google does not recommend the use of system properties within applications.",
"relationship_type": "mitigates",
"id": "relationship--91160659-69ef-452d-8668-5497a68e0e75",
"type": "relationship",
"modified": "2019-10-18T15:33:18.670Z",
"created": "2019-10-18T15:33:18.670Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
"description": "During the vetting process applications using the android permission `android.permission.CAMERA`, or the iOS `NSCameraUsageDescription` plist entry could be analyzed more closely.",
"relationship_type": "mitigates",
"id": "relationship--1bfffe11-00f6-449a-9e08-0395080147ef",
"type": "relationship",
"modified": "2019-10-18T15:42:14.526Z",
"created": "2019-10-18T15:33:18.671Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
"description": "Applications can be vetted for their use of the Android MediaProjectionManager class, with extra scrutiny applied to any application that uses the class.",
"relationship_type": "mitigates",
"id": "relationship--0cb64ad4-bf3b-482c-be22-ce75e065691d",
"type": "relationship",
"modified": "2020-06-24T15:03:26.122Z",
"created": "2019-10-18T15:33:18.675Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb",
"description": "Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.",
"relationship_type": "mitigates",
"id": "relationship--b6e43431-5312-44ae-bc61-54d4d6283bcc",
"type": "relationship",
"modified": "2019-10-18T15:33:18.678Z",
"created": "2019-10-18T15:33:18.678Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
"description": "Users should be advised not to grant consent for screen captures to occur unless expected. Users should avoid enabling USB debugging (Android Debug Bridge) unless explicitly required.",
"relationship_type": "mitigates",
"id": "relationship--42342d72-a37c-477e-b8f1-1768273fcb7f",
"type": "relationship",
"modified": "2020-06-24T15:03:26.152Z",
"created": "2019-10-18T15:51:48.451Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"description": "Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps.",
"relationship_type": "mitigates",
"id": "relationship--a2b67309-7912-4fe2-a689-aaa1ce8778e0",
"type": "relationship",
"modified": "2020-04-08T15:19:56.522Z",
"created": "2019-10-18T15:51:48.472Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
"description": "Users should be warned against granting access to accessibility features, and to carefully scrutinize applications that request this dangerous permission.",
"relationship_type": "mitigates",
"id": "relationship--17558571-7352-470b-b728-0511fb3f699d",
"type": "relationship",
"modified": "2020-06-24T15:02:13.534Z",
"created": "2019-10-18T15:51:48.484Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
"description": "Users should be weary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration and accessibility permissions requests.",
"relationship_type": "mitigates",
"id": "relationship--51f75dd5-b584-482f-8f7f-dbee2d5cf6f3",
"type": "relationship",
"modified": "2020-06-24T15:09:12.630Z",
"created": "2019-10-18T15:51:48.487Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--a0464539-e1b7-4455-a355-12495987c300",
"description": "Advise users to only connect mobile devices to PCs when a justified need exists (e.g., mobile app development and debugging).",
"relationship_type": "mitigates",
"id": "relationship--443da947-76ab-4e1e-aefd-24aa83dcc131",
"type": "relationship",
"modified": "2019-10-18T15:51:48.488Z",
"created": "2019-10-18T15:51:48.488Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"description": "Encourage developers to protect their account credentials and enable multi-factor authentication if available. Encourage developers to protect their signing keys.",
"relationship_type": "mitigates",
"id": "relationship--c08a1ce8-2c04-4802-a08b-4ce86efd8d5a",
"type": "relationship",
"modified": "2019-10-18T15:51:48.490Z",
"created": "2019-10-18T15:51:48.490Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"description": "iOS 9 and above requires explicit user consent before allowing installation of applications signed with enterprise distribution keys rather than installed from Apple's App Store. Users should be encouraged to not agree to installation of applications signed with enterprise distribution keys unless absolutely certain of the source of the application. On Android, the \"Unknown Sources\" setting must be enabled for users to install apps from sources other than an authorized app store (such as the Google Play Store), so users should be encouraged not to enable that setting.",
"relationship_type": "mitigates",
"id": "relationship--b6cf5e3a-84a1-4b76-81d4-f1420b0acdb5",
"type": "relationship",
"modified": "2019-10-18T15:51:48.519Z",
"created": "2019-10-18T15:51:48.519Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d",
"description": "Encourage users to protect their account credentials and to enable available multi-factor authentication options.",
"relationship_type": "mitigates",
"id": "relationship--9ea1777b-44d5-4763-bee9-fe782e29e68f",
"type": "relationship",
"modified": "2019-10-18T15:51:48.520Z",
"created": "2019-10-18T15:51:48.520Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2",
"description": "Typically, insecure or malicious configuration settings are not installed without the user's consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning).",
"relationship_type": "mitigates",
"id": "relationship--56c28b61-6372-4bd8-b711-772232eebbb5",
"type": "relationship",
"modified": "2019-10-18T15:51:48.523Z",
"created": "2019-10-18T15:51:48.523Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"description": "Users should be advised not to use public charging stations or computers to charge their devices. Instead, users should be issued a charger acquired from a trustworthy source. Users should be advised not to click on device prompts to trust attached computers unless absolutely necessary.",
"relationship_type": "mitigates",
"id": "relationship--c021d9b9-3850-425d-b3d2-6b7bd7e62b95",
"type": "relationship",
"modified": "2019-10-18T15:51:48.525Z",
"created": "2019-10-18T15:51:48.525Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a",
"description": "Encourage users to protect their account credentials and to enable available multi-factor authentication options.",
"relationship_type": "mitigates",
"id": "relationship--5fddb05c-6123-4354-8844-3e8a7d624d78",
"type": "relationship",
"modified": "2019-10-18T15:51:48.526Z",
"created": "2019-10-18T15:51:48.526Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067",
"description": "Encourage users to protect their account credentials and to enable available multi-factor authentication options.",
"relationship_type": "mitigates",
"id": "relationship--77812d6a-4d1a-432e-805a-d810a742e93f",
"type": "relationship",
"modified": "2019-10-18T15:51:48.529Z",
"created": "2019-10-18T15:51:48.529Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"relationship_type": "mitigates",
"id": "relationship--08662ec2-e5c0-4512-960e-bc2e44804f1e",
"type": "relationship",
"modified": "2020-06-24T15:04:20.691Z",
"created": "2019-10-18T15:53:07.541Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa",
"relationship_type": "mitigates",
"description": "Static or dynamic code analysis to look for misuse of dynamic libraries. Increased focus on applications utilizing `DexClassLoader`. ",
"id": "relationship--5ab9a1e6-cd16-4553-bc29-b0f01c1cc7e1",
"type": "relationship",
"modified": "2020-03-29T04:07:06.820Z",
"created": "2019-10-30T15:37:55.249Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52",
"target_ref": "attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa",
"external_references": [
{
"source_name": "Google Triada June 2019",
"url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html",
"description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019."
},
{
"description": "Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.",
"url": "https://www.kaspersky.com/blog/triada-trojan/11481/",
"source_name": "Kaspersky Triada March 2016"
}
],
"description": "[Triada](https://attack.mitre.org/software/S0424) injects code into the Zygote process to effectively include itself in all forked processes. Additionally, code is injected into the Android Play Store App, web browser applications, and the system UI application.(Citation: Google Triada June 2019)(Citation: Kaspersky Triada March 2016)",
"relationship_type": "uses",
"id": "relationship--c41d817e-913e-4574-b8d4-370de9f0034b",
"type": "relationship",
"modified": "2020-05-28T16:52:38.230Z",
"created": "2019-11-18T14:47:25.327Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
"relationship_type": "mitigates",
"description": "If a user sees a persistent notification they do not recognize, they should uninstall the source application and look for other unwanted applications or anomalies.",
"id": "relationship--03ff6271-d7bc-40f3-b83d-25c541333694",
"type": "relationship",
"modified": "2019-12-26T16:14:33.468Z",
"created": "2019-11-19T17:32:20.701Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
"relationship_type": "mitigates",
"description": "Applications could be vetted for their use of the `startForeground()` API, and could be further scrutinized if usage is found.",
"id": "relationship--e88151f0-f880-452e-9a00-8f38d33c4412",
"type": "relationship",
"modified": "2019-12-26T16:14:33.483Z",
"created": "2019-11-19T17:32:21.107Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"external_references": [
{
"source_name": "SecureList - ViceLeaker 2019",
"url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/",
"description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019."
}
],
"description": "[ViceLeaker](https://attack.mitre.org/software/S0418) was embedded into legitimate applications using Smali injection.(Citation: SecureList - ViceLeaker 2019)",
"relationship_type": "uses",
"id": "relationship--ac9704b7-a4d0-4f85-9f7d-53b05809719b",
"type": "relationship",
"modified": "2019-11-21T16:42:48.413Z",
"created": "2019-11-21T16:42:48.413Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"external_references": [
{
"source_name": "SecureList - ViceLeaker 2019",
"url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/",
"description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019."
}
],
"description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can collect SMS messages.(Citation: SecureList - ViceLeaker 2019)",
"relationship_type": "uses",
"id": "relationship--035192e3-94f4-426d-9be9-312ddd1ce6a8",
"type": "relationship",
"modified": "2019-11-21T16:42:48.437Z",
"created": "2019-11-21T16:42:48.437Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"external_references": [
{
"source_name": "SecureList - ViceLeaker 2019",
"url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/",
"description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019."
}
],
"description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can collect the device\u2019s call log.(Citation: SecureList - ViceLeaker 2019)",
"relationship_type": "uses",
"id": "relationship--5aa167b8-4166-440b-b49f-bf1bab597237",
"type": "relationship",
"modified": "2019-11-21T16:42:48.441Z",
"created": "2019-11-21T16:42:48.441Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
"target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"external_references": [
{
"description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.",
"url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/",
"source_name": "SecureList - ViceLeaker 2019"
},
{
"source_name": "Bitdefender - Triout 2018",
"url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/",
"description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020."
}
],
"description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can copy arbitrary files from the device to the C2 server, can exfiltrate browsing history, can exfiltrate the SD card structure, and can exfiltrate pictures as the user takes them.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)",
"relationship_type": "uses",
"id": "relationship--e7b7e813-4867-46fe-bf86-6f367553d765",
"type": "relationship",
"modified": "2020-01-21T14:20:50.455Z",
"created": "2019-11-21T16:42:48.456Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
"target_ref": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
"external_references": [
{
"source_name": "SecureList - ViceLeaker 2019",
"url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/",
"description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019."
}
],
"description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can delete arbitrary files from the device.(Citation: SecureList - ViceLeaker 2019)",
"relationship_type": "uses",
"id": "relationship--bc79d59b-1828-4133-9f8f-df8cad9543a8",
"type": "relationship",
"modified": "2019-11-21T16:42:48.459Z",
"created": "2019-11-21T16:42:48.459Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"external_references": [
{
"description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.",
"url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/",
"source_name": "SecureList - ViceLeaker 2019"
},
{
"source_name": "Bitdefender - Triout 2018",
"url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/",
"description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020."
}
],
"description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can record audio from the device\u2019s microphone and can record phone calls together with the caller ID.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)",
"relationship_type": "uses",
"id": "relationship--f632b0bb-69ce-4678-bc3c-9ddff5a38794",
"type": "relationship",
"modified": "2020-01-21T14:20:50.474Z",
"created": "2019-11-21T16:42:48.488Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"external_references": [
{
"source_name": "SecureList - ViceLeaker 2019",
"url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/",
"description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019."
}
],
"description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can obtain a list of installed applications.(Citation: SecureList - ViceLeaker 2019)",
"relationship_type": "uses",
"id": "relationship--50bab448-fee6-49e9-a296-498fe06eacc7",
"type": "relationship",
"modified": "2019-11-21T16:42:48.490Z",
"created": "2019-11-21T16:42:48.490Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"external_references": [
{
"description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.",
"url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/",
"source_name": "SecureList - ViceLeaker 2019"
},
{
"source_name": "Bitdefender - Triout 2018",
"url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/",
"description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020."
}
],
"description": "[ViceLeaker](https://attack.mitre.org/software/S0418) uses HTTP for C2 communication and data exfiltration.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)",
"relationship_type": "uses",
"id": "relationship--d59da983-c521-47b6-83ab-435f7d58611d",
"type": "relationship",
"modified": "2020-01-21T14:20:50.500Z",
"created": "2019-11-21T16:42:48.493Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"external_references": [
{
"source_name": "SecureList - ViceLeaker 2019",
"url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/",
"description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019."
}
],
"description": "[ViceLeaker](https://attack.mitre.org/software/S0418) collects device information, including the device model and OS version.(Citation: SecureList - ViceLeaker 2019)",
"relationship_type": "uses",
"id": "relationship--271a311f-71bc-4558-a314-0edfbec44b64",
"type": "relationship",
"modified": "2019-11-21T16:42:48.495Z",
"created": "2019-11-21T16:42:48.495Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
"target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
"external_references": [
{
"source_name": "SecureList - ViceLeaker 2019",
"url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/",
"description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019."
}
],
"description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can take photos from both the front and back cameras.(Citation: SecureList - ViceLeaker 2019)",
"relationship_type": "uses",
"id": "relationship--c5db5bb5-9877-43cd-8851-5aa62405dcb2",
"type": "relationship",
"modified": "2019-11-21T16:42:48.497Z",
"created": "2019-11-21T16:42:48.497Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"external_references": [
{
"description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.",
"url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/",
"source_name": "SecureList - ViceLeaker 2019"
},
{
"source_name": "Bitdefender - Triout 2018",
"url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/",
"description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020."
}
],
"description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can collect location information, including GPS coordinates.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)",
"relationship_type": "uses",
"id": "relationship--a1023a75-31cc-420a-9c59-b440f7fb27e6",
"type": "relationship",
"modified": "2020-01-21T14:20:50.492Z",
"created": "2019-11-21T16:42:48.501Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"external_references": [
{
"source_name": "SecureList - ViceLeaker 2019",
"url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/",
"description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019."
}
],
"description": "[ViceLeaker](https://attack.mitre.org/software/S0418) was primarily distributed via Telegram and WhatsApp messages.(Citation: SecureList - ViceLeaker 2019)",
"relationship_type": "uses",
"id": "relationship--986cb3bf-98bb-4558-bec4-bd8c015449fd",
"type": "relationship",
"modified": "2019-11-21T16:42:48.529Z",
"created": "2019-11-21T16:42:48.529Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7",
"target_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"external_references": [
{
"source_name": "CheckPoint SimBad 2019",
"url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/",
"description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019."
}
],
"description": "[SimBad](https://attack.mitre.org/software/S0419) registers for the `BOOT_COMPLETED` and `USER_PRESENT` broadcast intents, which allows the software to perform actions after the device is booted and when the user is using the device, respectively.(Citation: CheckPoint SimBad 2019)",
"relationship_type": "uses",
"id": "relationship--34a8a945-cc6c-474b-8db1-ffe8b5ecf99f",
"type": "relationship",
"modified": "2020-01-27T17:01:31.912Z",
"created": "2019-11-21T19:16:34.776Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"external_references": [
{
"source_name": "CheckPoint SimBad 2019",
"url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/",
"description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019."
}
],
"description": "[SimBad](https://attack.mitre.org/software/S0419) can install attacker-specified applications.(Citation: CheckPoint SimBad 2019)",
"relationship_type": "uses",
"id": "relationship--03683255-a5fa-44ef-83b8-0bd55386c4b9",
"type": "relationship",
"modified": "2019-11-21T19:16:34.805Z",
"created": "2019-11-21T19:16:34.805Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7",
"target_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
"external_references": [
{
"source_name": "CheckPoint SimBad 2019",
"url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/",
"description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019."
}
],
"description": "[SimBad](https://attack.mitre.org/software/S0419) generates fraudulent advertising revenue by displaying ads in the background and by opening the browser and displaying ads.(Citation: CheckPoint SimBad 2019)",
"relationship_type": "uses",
"id": "relationship--a04ae7d7-1500-49c9-bada-1a75a8670f5c",
"type": "relationship",
"modified": "2019-11-21T19:16:34.820Z",
"created": "2019-11-21T19:16:34.820Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7",
"target_ref": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2",
"external_references": [
{
"source_name": "CheckPoint SimBad 2019",
"url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/",
"description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019."
}
],
"description": "[SimBad](https://attack.mitre.org/software/S0419) hides its icon from the application launcher.(Citation: CheckPoint SimBad 2019)",
"relationship_type": "uses",
"id": "relationship--cc3cf438-7206-46df-a4a4-999472ea6a9a",
"type": "relationship",
"modified": "2019-11-21T19:16:34.796Z",
"created": "2019-11-21T19:16:34.796Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"external_references": [
{
"source_name": "SecureList DVMap June 2017",
"url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/",
"description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019."
}
],
"description": "[Dvmap](https://attack.mitre.org/software/S0420) was delivered via the Google Play Store. It evaded Google Play Store checks by uploading a clean application, and replacing it with a malicious version for a short period of time. This occurred at least 5 times in a one month period.(Citation: SecureList DVMap June 2017)",
"relationship_type": "uses",
"id": "relationship--28638246-abfb-4964-aa0f-57eb825338cc",
"type": "relationship",
"modified": "2020-01-22T22:17:23.114Z",
"created": "2019-12-10T16:07:41.048Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"external_references": [
{
"source_name": "SecureList DVMap June 2017",
"url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/",
"description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019."
}
],
"description": "[Dvmap](https://attack.mitre.org/software/S0420) decrypts executables from archive files stored in the `assets` directory of the installation binary.(Citation: SecureList DVMap June 2017)",
"relationship_type": "uses",
"id": "relationship--d886f368-a38b-4cb3-906f-9b284f58b369",
"type": "relationship",
"modified": "2019-12-10T16:07:41.066Z",
"created": "2019-12-10T16:07:41.066Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"external_references": [
{
"source_name": "SecureList DVMap June 2017",
"url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/",
"description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019."
}
],
"description": "[Dvmap](https://attack.mitre.org/software/S0420) attempts to gain root access by using local exploits.(Citation: SecureList DVMap June 2017)",
"relationship_type": "uses",
"id": "relationship--cce5d90f-edff-454d-bafa-caf33b71ed6c",
"type": "relationship",
"modified": "2019-12-10T16:07:41.078Z",
"created": "2019-12-10T16:07:41.078Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"external_references": [
{
"source_name": "SecureList DVMap June 2017",
"url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/",
"description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019."
}
],
"description": "[Dvmap](https://attack.mitre.org/software/S0420) replaces `/system/bin/ip` with a malicious version. [Dvmap](https://attack.mitre.org/software/S0420) can inject code by patching `libdmv.so` or `libandroid_runtime.so`, depending on the Android OS version. Both libraries are related to the Dalvik and ART runtime environments. The patched functions can only call `/system/bin/ip`, which was replaced with the malicious version.(Citation: SecureList DVMap June 2017)",
"relationship_type": "uses",
"id": "relationship--08f1a4b1-96c9-44c2-bc5b-5a779541213b",
"type": "relationship",
"modified": "2020-01-22T22:17:23.140Z",
"created": "2019-12-10T16:07:41.081Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514",
"target_ref": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2",
"external_references": [
{
"source_name": "SecureList DVMap June 2017",
"url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/",
"description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019."
}
],
"description": "[Dvmap](https://attack.mitre.org/software/S0420) can enable installation of apps from unknown sources, turn off `VerifyApps`, and can grant Device Administrator permissions via commands only, rather than using the UI.(Citation: SecureList DVMap June 2017)",
"relationship_type": "uses",
"id": "relationship--947e2398-4565-4ae0-8cc2-fb0ef5f9c73f",
"type": "relationship",
"modified": "2019-12-10T16:07:41.083Z",
"created": "2019-12-10T16:07:41.083Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"external_references": [
{
"source_name": "SecureList DVMap June 2017",
"url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/",
"description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019."
}
],
"description": "[Dvmap](https://attack.mitre.org/software/S0420) can download code and binaries from the C2 server to execute on the device as root.(Citation: SecureList DVMap June 2017)",
"relationship_type": "uses",
"id": "relationship--04eeed4b-e0fc-4fff-8c61-4c175f26a0fe",
"type": "relationship",
"modified": "2019-12-10T16:07:41.093Z",
"created": "2019-12-10T16:07:41.093Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"external_references": [
{
"description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.",
"url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/",
"source_name": "CheckPoint SimBad 2019"
}
],
"description": "[SimBad](https://attack.mitre.org/software/S0419) was embedded into legitimate applications.(Citation: CheckPoint SimBad 2019)",
"relationship_type": "uses",
"id": "relationship--9c834f8f-390e-4c60-b0be-9bdd8d9815c9",
"type": "relationship",
"modified": "2020-01-23T17:07:07.591Z",
"created": "2020-01-14T15:32:11.804Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"external_references": [
{
"description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.",
"url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/",
"source_name": "CheckPoint SimBad 2019"
}
],
"description": "[SimBad](https://attack.mitre.org/software/S0419) was distributed via the Google Play Store.(Citation: CheckPoint SimBad 2019)",
"relationship_type": "uses",
"id": "relationship--2758c6ce-8c56-462f-8cbc-fb32ab098646",
"type": "relationship",
"modified": "2020-01-23T17:07:07.588Z",
"created": "2020-01-14T15:32:11.813Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"external_references": [
{
"source_name": "SecureList DVMap June 2017",
"url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/",
"description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019."
}
],
"description": "[Dvmap](https://attack.mitre.org/software/S0420) checks the Android version to determine which system library to patch.(Citation: SecureList DVMap June 2017)",
"relationship_type": "uses",
"id": "relationship--70ec9e67-b755-41ee-a1db-71d250a90b4e",
"type": "relationship",
"modified": "2020-01-14T17:47:08.826Z",
"created": "2020-01-14T17:47:08.826Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
"target_ref": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2",
"external_references": [
{
"source_name": "Bitdefender - Triout 2018",
"url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/",
"description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020."
}
],
"description": "[ViceLeaker](https://attack.mitre.org/software/S0418) includes code to hide its icon, but the function does not appear to be called in an analyzed version of the software.(Citation: Bitdefender - Triout 2018)",
"relationship_type": "uses",
"id": "relationship--f31490e8-ef81-40d5-bba9-24ca580d2ee6",
"type": "relationship",
"modified": "2020-03-26T19:00:42.461Z",
"created": "2020-01-21T14:20:50.409Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
"relationship_type": "mitigates",
"description": "Applications with network connections to unknown domains or IP addresses could be further scrutinized to detect unauthorized file copying. Further, some application vetting services may indicate precisely what content was requested during application execution.",
"id": "relationship--9e87b99f-9ff6-4e40-aeaf-4e35668f72e9",
"type": "relationship",
"modified": "2020-01-21T15:27:30.478Z",
"created": "2020-01-21T15:27:30.478Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
"target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
"external_references": [
{
"source_name": "SecureList - ViceLeaker 2019",
"url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/",
"description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019."
}
],
"description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can download attacker-specified files.(Citation: SecureList - ViceLeaker 2019)",
"relationship_type": "uses",
"id": "relationship--6176a297-3097-42e2-b1c2-815e7fd8c81c",
"type": "relationship",
"modified": "2020-01-21T15:29:27.041Z",
"created": "2020-01-21T15:29:27.041Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
"target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
"external_references": [
{
"source_name": "Lookout-Monokle",
"url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
"description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019."
}
],
"description": "[Monokle](https://attack.mitre.org/software/S0407) can download attacker-specified files.(Citation: Lookout-Monokle) ",
"relationship_type": "uses",
"id": "relationship--d0c21324-62e3-46e5-823b-ea0c03a4885d",
"type": "relationship",
"modified": "2020-01-21T15:30:39.335Z",
"created": "2020-01-21T15:30:39.335Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"relationship_type": "mitigates",
"description": "In Android 8, broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest.(Citation: Android Changes to System Broadcasts)",
"id": "relationship--58de1b14-43bb-4788-915b-9cd15cd11bf0",
"external_references": [
{
"source_name": "Android Changes to System Broadcasts",
"url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts",
"description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020."
}
],
"type": "relationship",
"modified": "2020-03-27T15:28:04.257Z",
"created": "2020-01-27T16:22:11.510Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"external_references": [
{
"source_name": "Trend Micro Bouncing Golf 2019",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
"description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020."
}
],
"description": "[Bouncing Golf](https://attack.mitre.org/groups/G0097) delivered GolfSpy via a hosted application binary advertised on social media.(Citation: Trend Micro Bouncing Golf 2019) ",
"relationship_type": "uses",
"id": "relationship--10c503d7-850b-4ae2-8b14-186cbe214d33",
"type": "relationship",
"modified": "2020-03-26T20:58:44.871Z",
"created": "2020-01-27T16:55:40.098Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"external_references": [
{
"source_name": "Trend Micro Bouncing Golf 2019",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
"description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020."
}
],
"description": "[Bouncing Golf](https://attack.mitre.org/groups/G0097) distributed malware as repackaged legitimate applications, with the malicious code in the `com.golf` package.(Citation: Trend Micro Bouncing Golf 2019)",
"relationship_type": "uses",
"id": "relationship--cedf4ccb-7fbb-45bb-aab4-a5ae676d9f48",
"type": "relationship",
"modified": "2020-03-26T20:58:44.911Z",
"created": "2020-01-27T16:55:40.101Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"external_references": [
{
"description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
"source_name": "Trend Micro Bouncing Golf 2019"
}
],
"description": "[GolfSpy](https://attack.mitre.org/software/S0421) can install attacker-specified applications.(Citation: Trend Micro Bouncing Golf 2019)",
"relationship_type": "uses",
"id": "relationship--2a94bb7e-67af-4031-b4be-25c2a3ccd35c",
"type": "relationship",
"modified": "2020-01-27T17:05:58.182Z",
"created": "2020-01-27T17:05:58.182Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
"target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"external_references": [
{
"description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
"source_name": "Trend Micro Bouncing Golf 2019"
}
],
"description": "[GolfSpy](https://attack.mitre.org/software/S0421) can collect local accounts on the device, pictures, bookmarks/histories of the default browser, and files stored on the SD card. [GolfSpy](https://attack.mitre.org/software/S0421) can list image, audio, video, and other files stored on the device. [GolfSpy](https://attack.mitre.org/software/S0421) can copy arbitrary files from the device.(Citation: Trend Micro Bouncing Golf 2019)",
"relationship_type": "uses",
"id": "relationship--65a24b75-4bb0-441a-8cb2-a34077b13f61",
"type": "relationship",
"modified": "2020-03-26T20:50:07.154Z",
"created": "2020-01-27T17:05:58.201Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"external_references": [
{
"description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
"source_name": "Trend Micro Bouncing Golf 2019"
}
],
"description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain a list of installed applications.(Citation: Trend Micro Bouncing Golf 2019)",
"relationship_type": "uses",
"id": "relationship--a9689f2c-ad8f-4861-8cad-d78e07fd1530",
"type": "relationship",
"modified": "2020-01-27T17:05:58.213Z",
"created": "2020-01-27T17:05:58.213Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
"target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
"external_references": [
{
"description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
"source_name": "Trend Micro Bouncing Golf 2019"
}
],
"description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain a list of running processes.(Citation: Trend Micro Bouncing Golf 2019)",
"relationship_type": "uses",
"id": "relationship--cd6a9777-a8fd-43ca-91dc-cafc7d4b7df3",
"type": "relationship",
"modified": "2020-01-27T17:05:58.215Z",
"created": "2020-01-27T17:05:58.215Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"external_references": [
{
"description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
"source_name": "Trend Micro Bouncing Golf 2019"
}
],
"description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain the device\u2019s battery level, network operator, connection information, sensor information, and information about the device\u2019s storage and memory.(Citation: Trend Micro Bouncing Golf 2019)",
"relationship_type": "uses",
"id": "relationship--ccfffa97-17fd-4826-9a16-c9d8174fb8ac",
"type": "relationship",
"modified": "2020-01-27T17:05:58.237Z",
"created": "2020-01-27T17:05:58.237Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"external_references": [
{
"description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
"source_name": "Trend Micro Bouncing Golf 2019"
}
],
"description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain the device\u2019s contact list.(Citation: Trend Micro Bouncing Golf 2019)",
"relationship_type": "uses",
"id": "relationship--4009ff40-4616-4b1c-bff9-599e52ccab37",
"type": "relationship",
"modified": "2020-01-27T17:05:58.263Z",
"created": "2020-01-27T17:05:58.263Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"external_references": [
{
"description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
"source_name": "Trend Micro Bouncing Golf 2019"
}
],
"description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain the device\u2019s call log.(Citation: Trend Micro Bouncing Golf 2019)",
"relationship_type": "uses",
"id": "relationship--db34a2c8-01e0-4cd3-a497-0f4bca36812a",
"type": "relationship",
"modified": "2020-01-27T17:05:58.265Z",
"created": "2020-01-27T17:05:58.265Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"external_references": [
{
"description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
"source_name": "Trend Micro Bouncing Golf 2019"
}
],
"description": "[GolfSpy](https://attack.mitre.org/software/S0421) can track the device\u2019s location.(Citation: Trend Micro Bouncing Golf 2019)",
"relationship_type": "uses",
"id": "relationship--5088a10e-03d2-4643-8df8-b7b601c2cc24",
"type": "relationship",
"modified": "2020-01-27T17:05:58.267Z",
"created": "2020-01-27T17:05:58.267Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
"target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
"external_references": [
{
"description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
"source_name": "Trend Micro Bouncing Golf 2019"
}
],
"description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain clipboard contents.(Citation: Trend Micro Bouncing Golf 2019)",
"relationship_type": "uses",
"id": "relationship--4b68bcb1-a512-40f7-9aee-235b3668f022",
"type": "relationship",
"modified": "2020-01-27T17:05:58.271Z",
"created": "2020-01-27T17:05:58.271Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"external_references": [
{
"description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
"source_name": "Trend Micro Bouncing Golf 2019"
}
],
"description": "[GolfSpy](https://attack.mitre.org/software/S0421) can record audio and phone calls.(Citation: Trend Micro Bouncing Golf 2019)",
"relationship_type": "uses",
"id": "relationship--ced70cea-b2ac-45b8-9f7d-779eedbdf06c",
"type": "relationship",
"modified": "2020-01-27T17:05:58.273Z",
"created": "2020-01-27T17:05:58.273Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
"target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
"external_references": [
{
"description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
"source_name": "Trend Micro Bouncing Golf 2019"
}
],
"description": "[GolfSpy](https://attack.mitre.org/software/S0421) can record video.(Citation: Trend Micro Bouncing Golf 2019)",
"relationship_type": "uses",
"id": "relationship--0cabc5f9-045e-490c-a97f-efe00dbade86",
"type": "relationship",
"modified": "2020-01-27T17:05:58.276Z",
"created": "2020-01-27T17:05:58.276Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
"target_ref": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
"external_references": [
{
"description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
"source_name": "Trend Micro Bouncing Golf 2019"
}
],
"description": "[GolfSpy](https://attack.mitre.org/software/S0421) can delete arbitrary files on the device.(Citation: Trend Micro Bouncing Golf 2019)",
"relationship_type": "uses",
"id": "relationship--f4aeacef-035c-4308-9e85-997703e27809",
"type": "relationship",
"modified": "2020-01-27T17:05:58.305Z",
"created": "2020-01-27T17:05:58.305Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"external_references": [
{
"description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
"source_name": "Trend Micro Bouncing Golf 2019"
}
],
"description": "[GolfSpy](https://attack.mitre.org/software/S0421) encodes its configurations using a customized algorithm.(Citation: Trend Micro Bouncing Golf 2019)",
"relationship_type": "uses",
"id": "relationship--60db521a-ae2d-4a9a-8c6d-47a5528f1ecb",
"type": "relationship",
"modified": "2020-01-27T17:05:58.308Z",
"created": "2020-01-27T17:05:58.308Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"external_references": [
{
"description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
"source_name": "Trend Micro Bouncing Golf 2019"
}
],
"description": "[GolfSpy](https://attack.mitre.org/software/S0421) can collect SMS messages.(Citation: Trend Micro Bouncing Golf 2019)",
"relationship_type": "uses",
"id": "relationship--2ebd5c4c-af03-4874-a6fd-1e58d51cc055",
"type": "relationship",
"modified": "2020-01-27T17:05:58.310Z",
"created": "2020-01-27T17:05:58.310Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
"target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
"external_references": [
{
"description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
"source_name": "Trend Micro Bouncing Golf 2019"
}
],
"description": "[GolfSpy](https://attack.mitre.org/software/S0421) can take screenshots.(Citation: Trend Micro Bouncing Golf 2019)",
"relationship_type": "uses",
"id": "relationship--e35b013b-89e8-41b3-a518-7737234ab71b",
"type": "relationship",
"modified": "2020-01-27T17:05:58.312Z",
"created": "2020-01-27T17:05:58.312Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"external_references": [
{
"description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
"source_name": "Trend Micro Bouncing Golf 2019"
}
],
"description": "[GolfSpy](https://attack.mitre.org/software/S0421) exfiltrates data using HTTP POST requests.(Citation: Trend Micro Bouncing Golf 2019)",
"relationship_type": "uses",
"id": "relationship--3dd0cd4d-bcde-4105-b98e-b32add191083",
"type": "relationship",
"modified": "2020-01-27T17:05:58.331Z",
"created": "2020-01-27T17:05:58.331Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
"target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
"external_references": [
{
"description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
"source_name": "Trend Micro Bouncing Golf 2019"
}
],
"description": "[GolfSpy](https://attack.mitre.org/software/S0421) encrypts data using a simple XOR operation with a pre-configured key prior to exfiltration.(Citation: Trend Micro Bouncing Golf 2019)",
"relationship_type": "uses",
"id": "relationship--e5e4567e-05a3-4d79-beab-191efc336473",
"type": "relationship",
"modified": "2020-03-26T20:50:07.266Z",
"created": "2020-01-27T17:05:58.333Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
"target_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"external_references": [
{
"description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
"source_name": "Trend Micro Bouncing Golf 2019"
}
],
"description": "[GolfSpy](https://attack.mitre.org/software/S0421) registers for the `USER_PRESENT` broadcast intent and uses it as a trigger to take photos with the front-facing camera.(Citation: Trend Micro Bouncing Golf 2019)",
"relationship_type": "uses",
"id": "relationship--465d14e7-eb9e-4794-9cb3-1de2cff86a8e",
"type": "relationship",
"modified": "2020-01-27T17:05:58.335Z",
"created": "2020-01-27T17:05:58.335Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd",
"target_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
"external_references": [
{
"description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
"source_name": "Trend Micro Bouncing Golf 2019"
}
],
"description": "(Citation: Trend Micro Bouncing Golf 2019)",
"relationship_type": "uses",
"id": "relationship--7850d933-120b-4ae6-998d-8dc4dfd6d164",
"type": "relationship",
"modified": "2020-01-27T17:49:05.664Z",
"created": "2020-01-27T17:49:05.664Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"external_references": [
{
"source_name": "Cofense Anubis",
"url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/",
"description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020."
}
],
"description": "[Anubis](https://attack.mitre.org/software/S0422) can record phone calls and audio, and can make phone calls.(Citation: Cofense Anubis)",
"relationship_type": "uses",
"id": "relationship--e7af5be1-721f-40c5-b647-659243a0a14b",
"type": "relationship",
"modified": "2020-04-08T15:41:19.321Z",
"created": "2020-04-08T15:41:19.321Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
"target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4",
"external_references": [
{
"source_name": "Cofense Anubis",
"url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/",
"description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020."
}
],
"description": "[Anubis](https://attack.mitre.org/software/S0422) can use its ransomware module to encrypt device data and hold it for ransom.(Citation: Cofense Anubis)",
"relationship_type": "uses",
"id": "relationship--7ee49e53-e75d-4e65-a71f-79919ebb08f4",
"type": "relationship",
"modified": "2020-04-08T18:55:29.238Z",
"created": "2020-04-08T15:41:19.340Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"external_references": [
{
"source_name": "Cofense Anubis",
"url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/",
"description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020."
}
],
"description": "[Anubis](https://attack.mitre.org/software/S0422) was distributed via phishing link in an email.(Citation: Cofense Anubis)",
"relationship_type": "uses",
"id": "relationship--c200184f-3d11-452c-8362-bb66337df1f5",
"type": "relationship",
"modified": "2020-04-08T15:41:19.355Z",
"created": "2020-04-08T15:41:19.355Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
"target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
"external_references": [
{
"source_name": "Cofense Anubis",
"url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/",
"description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020."
}
],
"description": "[Anubis](https://attack.mitre.org/software/S0422) can take screenshots.(Citation: Cofense Anubis)",
"relationship_type": "uses",
"id": "relationship--9814ecd5-911a-4776-9dc0-4a4ae0bf6a39",
"type": "relationship",
"modified": "2020-04-08T15:41:19.364Z",
"created": "2020-04-08T15:41:19.364Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"external_references": [
{
"source_name": "Cofense Anubis",
"url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/",
"description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020."
}
],
"description": "[Anubis](https://attack.mitre.org/software/S0422) requests accessibility service privileges while masquerading as \u201cGoogle Play Protect\u201d.(Citation: Cofense Anubis)",
"relationship_type": "uses",
"id": "relationship--0aab3d6b-a2b7-4e55-9614-4f2af8543af6",
"type": "relationship",
"modified": "2020-04-08T15:41:19.368Z",
"created": "2020-04-08T15:41:19.368Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"external_references": [
{
"source_name": "Cofense Anubis",
"url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/",
"description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020."
}
],
"description": "[Anubis](https://attack.mitre.org/software/S0422) can collect a list of installed applications to compare to a list of targeted applications.(Citation: Cofense Anubis)",
"relationship_type": "uses",
"id": "relationship--6c35f99c-153d-4023-a29a-821488ce5418",
"type": "relationship",
"modified": "2020-04-08T15:41:19.383Z",
"created": "2020-04-08T15:41:19.383Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"external_references": [
{
"source_name": "Cofense Anubis",
"url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/",
"description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020."
}
],
"description": "[Anubis](https://attack.mitre.org/software/S0422) can create overlays to capture user credentials for targeted applications.(Citation: Cofense Anubis)",
"relationship_type": "uses",
"id": "relationship--6faacfdd-d17d-4c6e-a33e-5fdea2cc3998",
"type": "relationship",
"modified": "2020-04-08T15:41:19.385Z",
"created": "2020-04-08T15:41:19.385Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
"target_ref": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2",
"external_references": [
{
"source_name": "Cofense Anubis",
"url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/",
"description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020."
}
],
"description": "[Anubis](https://attack.mitre.org/software/S0422) can modify administrator settings and disable Play Protect.(Citation: Cofense Anubis)",
"relationship_type": "uses",
"id": "relationship--7bf2e05e-496f-49d1-8a37-48cc3ff8d6cc",
"type": "relationship",
"modified": "2020-04-08T15:41:19.400Z",
"created": "2020-04-08T15:41:19.400Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"external_references": [
{
"source_name": "Cofense Anubis",
"url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/",
"description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020."
}
],
"description": "[Anubis](https://attack.mitre.org/software/S0422) can steal the device\u2019s contact list.(Citation: Cofense Anubis) ",
"relationship_type": "uses",
"id": "relationship--8f72a070-cfcb-4d75-ace6-b4427f3ba8d3",
"type": "relationship",
"modified": "2020-04-08T15:41:19.404Z",
"created": "2020-04-08T15:41:19.404Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"external_references": [
{
"source_name": "Cofense Anubis",
"url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/",
"description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020."
}
],
"description": "[Anubis](https://attack.mitre.org/software/S0422) can retrieve the device\u2019s GPS location.(Citation: Cofense Anubis)",
"relationship_type": "uses",
"id": "relationship--806a9338-be20-4eef-aa54-067633ac0e58",
"type": "relationship",
"modified": "2020-04-08T15:41:19.421Z",
"created": "2020-04-08T15:41:19.421Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
"target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
"external_references": [
{
"source_name": "Cofense Anubis",
"url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/",
"description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020."
}
],
"description": "[Anubis](https://attack.mitre.org/software/S0422) can send, receive, and delete SMS messages.(Citation: Cofense Anubis)",
"relationship_type": "uses",
"id": "relationship--5b87bb01-9587-42bd-aa6b-30158ca8f55f",
"type": "relationship",
"modified": "2020-09-11T15:42:15.628Z",
"created": "2020-04-08T15:41:19.427Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
"target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380",
"external_references": [
{
"source_name": "Cofense Anubis",
"url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/",
"description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020."
}
],
"description": "[Anubis](https://attack.mitre.org/software/S0422) can retrieve the C2 address from Twitter.(Citation: Cofense Anubis)",
"relationship_type": "uses",
"id": "relationship--dff37d8a-b7ca-409b-b4eb-581ca3a74bb5",
"type": "relationship",
"modified": "2020-04-08T15:41:19.445Z",
"created": "2020-04-08T15:41:19.445Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
"target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
"external_references": [
{
"source_name": "Cofense Anubis",
"url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/",
"description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020."
}
],
"description": "[Anubis](https://attack.mitre.org/software/S0422) has a keylogger that works in every application installed on the device.(Citation: Cofense Anubis)",
"relationship_type": "uses",
"id": "relationship--d01b311d-8741-4b58-b127-88fecb2b0544",
"type": "relationship",
"modified": "2020-04-08T15:41:19.448Z",
"created": "2020-04-08T15:41:19.448Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"external_references": [
{
"source_name": "Cofense Anubis",
"url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/",
"description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020."
}
],
"description": "[Anubis](https://attack.mitre.org/software/S0422) can collect the device\u2019s ID.(Citation: Cofense Anubis)",
"relationship_type": "uses",
"id": "relationship--50ad2a8c-ed45-4376-be31-8bafa26ba794",
"type": "relationship",
"modified": "2020-04-08T15:41:19.451Z",
"created": "2020-04-08T15:41:19.451Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"external_references": [
{
"source_name": "ThreatFabric Ginp",
"url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html",
"description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020."
}
],
"description": "[Ginp](https://attack.mitre.org/software/S0423) can use a multi-step phishing overlay to capture banking credentials and then credit card numbers after login.(Citation: ThreatFabric Ginp)",
"relationship_type": "uses",
"id": "relationship--74c3c88c-956b-4bc7-9ea2-585e7366fe69",
"type": "relationship",
"modified": "2020-04-08T15:51:25.078Z",
"created": "2020-04-08T15:51:25.078Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"external_references": [
{
"source_name": "ThreatFabric Ginp",
"url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html",
"description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020."
}
],
"description": "[Ginp](https://attack.mitre.org/software/S0423) has masqueraded as \u201cAdobe Flash Player\u201d and \u201cGoogle Play Verificator\u201d.(Citation: ThreatFabric Ginp)",
"relationship_type": "uses",
"id": "relationship--47f9195c-d7b5-4336-9f65-814fa90d6bd2",
"type": "relationship",
"modified": "2020-04-09T17:03:46.123Z",
"created": "2020-04-08T15:51:25.102Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"external_references": [
{
"source_name": "ThreatFabric Ginp",
"url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html",
"description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020."
}
],
"description": "[Ginp](https://attack.mitre.org/software/S0423) can obtain a list of installed applications.(Citation: ThreatFabric Ginp)",
"relationship_type": "uses",
"id": "relationship--a04dfb58-b7d3-4abe-9f4a-fad4f7158965",
"type": "relationship",
"modified": "2020-04-08T15:51:25.106Z",
"created": "2020-04-08T15:51:25.106Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"external_references": [
{
"source_name": "ThreatFabric Ginp",
"url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html",
"description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020."
}
],
"description": "[Ginp](https://attack.mitre.org/software/S0423) obfuscates its payload, code, and strings.(Citation: ThreatFabric Ginp)",
"relationship_type": "uses",
"id": "relationship--f88cbb0c-ca34-4a87-82fa-e0e567ee8d57",
"type": "relationship",
"modified": "2020-04-08T15:51:25.120Z",
"created": "2020-04-08T15:51:25.120Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
"target_ref": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2",
"external_references": [
{
"source_name": "ThreatFabric Ginp",
"url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html",
"description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020."
}
],
"description": "[Ginp](https://attack.mitre.org/software/S0423) hides its icon after installation.(Citation: ThreatFabric Ginp)",
"relationship_type": "uses",
"id": "relationship--57293fc9-8838-4acd-a16f-48f516d0921e",
"type": "relationship",
"modified": "2020-04-08T15:51:25.122Z",
"created": "2020-04-08T15:51:25.122Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
"target_ref": "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b",
"external_references": [
{
"source_name": "ThreatFabric Ginp",
"url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html",
"description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020."
}
],
"description": "[Ginp](https://attack.mitre.org/software/S0423) can determine if it is running in an emulator.(Citation: ThreatFabric Ginp)",
"relationship_type": "uses",
"id": "relationship--1cc71849-142f-4097-9546-7946b0b546a6",
"type": "relationship",
"modified": "2020-04-08T15:51:25.125Z",
"created": "2020-04-08T15:51:25.125Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"external_references": [
{
"source_name": "ThreatFabric Ginp",
"url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html",
"description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020."
}
],
"description": "[Ginp](https://attack.mitre.org/software/S0423) can collect SMS messages.(Citation: ThreatFabric Ginp)",
"relationship_type": "uses",
"id": "relationship--1f7b7de2-10e8-4eec-9c8f-db44ac3f271b",
"type": "relationship",
"modified": "2020-09-11T15:50:19.043Z",
"created": "2020-04-08T15:51:25.128Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
"target_ref": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3",
"external_references": [
{
"source_name": "ThreatFabric Ginp",
"url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html",
"description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020."
}
],
"description": "[Ginp](https://attack.mitre.org/software/S0423) can download device log data.(Citation: ThreatFabric Ginp)",
"relationship_type": "uses",
"id": "relationship--6b7a37c7-42a5-49ab-810a-4cf60784dea1",
"type": "relationship",
"modified": "2020-04-08T15:51:25.131Z",
"created": "2020-04-08T15:51:25.131Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"external_references": [
{
"source_name": "ThreatFabric Ginp",
"url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html",
"description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020."
}
],
"description": "[Ginp](https://attack.mitre.org/software/S0423) can download the device\u2019s contact list.(Citation: ThreatFabric Ginp)",
"relationship_type": "uses",
"id": "relationship--fff16b5e-49c2-45e2-8b3a-fd5f82c96dd9",
"type": "relationship",
"modified": "2020-04-08T15:51:25.149Z",
"created": "2020-04-08T15:51:25.149Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
"target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
"external_references": [
{
"source_name": "ThreatFabric Ginp",
"url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html",
"description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020."
}
],
"description": "[Ginp](https://attack.mitre.org/software/S0423) can capture device screenshots and stream them back to the C2.(Citation: ThreatFabric Ginp)",
"relationship_type": "uses",
"id": "relationship--65803bfa-7601-44ad-95ea-64d8bfd778a4",
"type": "relationship",
"modified": "2020-04-08T15:51:25.157Z",
"created": "2020-04-08T15:51:25.157Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
"target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
"external_references": [
{
"description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020.",
"url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/",
"source_name": "Cofense Anubis"
}
],
"description": "[Anubis](https://attack.mitre.org/software/S0422) exfiltrates data encrypted (with RC4) by its ransomware module.(Citation: Cofense Anubis)",
"relationship_type": "uses",
"id": "relationship--2621a020-8d4f-4ca4-b874-0be336a8cafd",
"type": "relationship",
"modified": "2020-04-09T16:45:38.751Z",
"created": "2020-04-08T18:55:29.196Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
"target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"external_references": [
{
"description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020.",
"url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/",
"source_name": "Cofense Anubis"
}
],
"description": "[Anubis](https://attack.mitre.org/software/S0422) can exfiltrate files encrypted with the ransomware module from the device.(Citation: Cofense Anubis)",
"relationship_type": "uses",
"id": "relationship--1fdad4b5-18a1-4fbf-81ce-861feaf2bbdd",
"type": "relationship",
"modified": "2020-04-09T16:45:38.746Z",
"created": "2020-04-08T18:55:29.205Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
"target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"external_references": [
{
"source_name": "TrendMicro Coronavirus Updates",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
"description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
}
],
"description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect voice notes, device accounts, and gallery images.(Citation: TrendMicro Coronavirus Updates)",
"relationship_type": "uses",
"id": "relationship--55afe9a0-d261-48ea-b5a8-0b1685ff2f15",
"type": "relationship",
"modified": "2020-04-24T15:06:33.319Z",
"created": "2020-04-24T15:06:33.319Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"external_references": [
{
"source_name": "TrendMicro Coronavirus Updates",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
"description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
}
],
"description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect device contacts.(Citation: TrendMicro Coronavirus Updates)",
"relationship_type": "uses",
"id": "relationship--818b8c2b-bd23-4a83-9970-d42063608699",
"type": "relationship",
"modified": "2020-04-24T15:06:33.393Z",
"created": "2020-04-24T15:06:33.393Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"external_references": [
{
"source_name": "TrendMicro Coronavirus Updates",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
"description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
}
],
"description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect the device\u2019s call log.(Citation: TrendMicro Coronavirus Updates)",
"relationship_type": "uses",
"id": "relationship--3c874ffa-63c3-491f-8d8c-623b19a7fdad",
"type": "relationship",
"modified": "2020-04-24T15:06:33.397Z",
"created": "2020-04-24T15:06:33.397Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"external_references": [
{
"source_name": "TrendMicro Coronavirus Updates",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
"description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
}
],
"description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect device network configuration information, such as Wi-Fi SSID and IMSI.(Citation: TrendMicro Coronavirus Updates)",
"relationship_type": "uses",
"id": "relationship--a3a8b2f2-f1aa-49ba-be55-a674f371f209",
"type": "relationship",
"modified": "2020-04-24T15:06:33.450Z",
"created": "2020-04-24T15:06:33.449Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"external_references": [
{
"source_name": "TrendMicro Coronavirus Updates",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
"description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
}
],
"description": "[Corona Updates](https://attack.mitre.org/software/S0425) communicates with the C2 server using HTTP requests and has exfiltrated data using FTP.(Citation: TrendMicro Coronavirus Updates)",
"relationship_type": "uses",
"id": "relationship--8f2929a9-cd25-4e07-b402-447da68aaa56",
"type": "relationship",
"modified": "2020-04-24T17:55:54.972Z",
"created": "2020-04-24T15:06:33.455Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"external_references": [
{
"source_name": "TrendMicro Coronavirus Updates",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
"description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
}
],
"description": "[Corona Updates](https://attack.mitre.org/software/S0425) has been distributed through the Play Store.(Citation: TrendMicro Coronavirus Updates)",
"relationship_type": "uses",
"id": "relationship--826a8c49-a137-4cbe-9efe-6395365a9adc",
"type": "relationship",
"modified": "2020-04-24T15:06:33.463Z",
"created": "2020-04-24T15:06:33.463Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"external_references": [
{
"source_name": "TrendMicro Coronavirus Updates",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
"description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
}
],
"description": "[Corona Updates](https://attack.mitre.org/software/S0425) can record MP4 files and monitor calls.(Citation: TrendMicro Coronavirus Updates)",
"relationship_type": "uses",
"id": "relationship--8b66543e-2ea1-4ff7-84d9-f8f431f53781",
"type": "relationship",
"modified": "2020-04-24T15:06:33.503Z",
"created": "2020-04-24T15:06:33.503Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
"target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
"external_references": [
{
"source_name": "TrendMicro Coronavirus Updates",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
"description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
}
],
"description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect messages from GSM, WhatsApp, Telegram, Facebook, and Threema by reading the application\u2019s notification content.(Citation: TrendMicro Coronavirus Updates)",
"relationship_type": "uses",
"id": "relationship--4a67b14a-e489-4e8f-b545-5bdf134e146e",
"type": "relationship",
"modified": "2020-04-24T15:06:33.519Z",
"created": "2020-04-24T15:06:33.519Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"external_references": [
{
"source_name": "TrendMicro Coronavirus Updates",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
"description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
}
],
"description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect various pieces of device information, including OS version, phone model, and manufacturer.(Citation: TrendMicro Coronavirus Updates) ",
"relationship_type": "uses",
"id": "relationship--b018fe06-740b-4864-b30a-f047598506b3",
"type": "relationship",
"modified": "2020-04-24T15:06:33.510Z",
"created": "2020-04-24T15:06:33.510Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"external_references": [
{
"source_name": "TrendMicro Coronavirus Updates",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
"description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
}
],
"description": "[Corona Updates](https://attack.mitre.org/software/S0425) can track the device\u2019s location.(Citation: TrendMicro Coronavirus Updates)",
"relationship_type": "uses",
"id": "relationship--4b8d027d-5da2-4a01-ad31-b6644a5cda61",
"type": "relationship",
"modified": "2020-04-24T15:06:33.495Z",
"created": "2020-04-24T15:06:33.495Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
"target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
"external_references": [
{
"source_name": "TrendMicro Coronavirus Updates",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
"description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
}
],
"description": "[Corona Updates](https://attack.mitre.org/software/S0425) can take pictures using the camera and can record MP4 files.(Citation: TrendMicro Coronavirus Updates)",
"relationship_type": "uses",
"id": "relationship--72a5350f-f0cf-4f44-82d5-28a25492c6af",
"type": "relationship",
"modified": "2020-04-24T17:55:55.049Z",
"created": "2020-04-24T15:06:33.531Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"external_references": [
{
"source_name": "TrendMicro Coronavirus Updates",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
"description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
}
],
"description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect SMS messages.(Citation: TrendMicro Coronavirus Updates)",
"relationship_type": "uses",
"id": "relationship--82f51cc6-6ce4-459e-b598-7b2b77983469",
"type": "relationship",
"modified": "2020-09-11T15:45:38.553Z",
"created": "2020-04-24T15:06:33.526Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"external_references": [
{
"source_name": "TrendMicro Coronavirus Updates",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
"description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
}
],
"description": "[Concipit1248](https://attack.mitre.org/software/S0426) has been distributed through the App Store.(Citation: TrendMicro Coronavirus Updates)",
"relationship_type": "uses",
"id": "relationship--d227781f-94c0-4ddd-9b2e-0f5eac142d5d",
"type": "relationship",
"modified": "2020-04-24T15:12:11.148Z",
"created": "2020-04-24T15:12:11.148Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853",
"target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
"external_references": [
{
"source_name": "TrendMicro Coronavirus Updates",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
"description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
}
],
"description": "[Concipit1248](https://attack.mitre.org/software/S0426) requests permissions to use the device camera.(Citation: TrendMicro Coronavirus Updates)",
"relationship_type": "uses",
"id": "relationship--8936c564-b11a-4c9e-a32a-76e7d7e0c8b0",
"type": "relationship",
"modified": "2020-04-24T15:12:11.185Z",
"created": "2020-04-24T15:12:11.185Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853",
"target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"external_references": [
{
"source_name": "TrendMicro Coronavirus Updates",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
"description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
}
],
"description": "[Concipit1248](https://attack.mitre.org/software/S0426) can collect device photos.(Citation: TrendMicro Coronavirus Updates)",
"relationship_type": "uses",
"id": "relationship--97158eda-5092-4939-8b5c-1ef5ab918089",
"type": "relationship",
"modified": "2020-04-24T15:12:11.189Z",
"created": "2020-04-24T15:12:11.189Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"external_references": [
{
"source_name": "TrendMicro Coronavirus Updates",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
"description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
}
],
"description": "[Concipit1248](https://attack.mitre.org/software/S0426) communicates with the C2 server using HTTP requests.(Citation: TrendMicro Coronavirus Updates)",
"relationship_type": "uses",
"id": "relationship--605d95a1-0493-418e-9d81-de58531c4421",
"type": "relationship",
"modified": "2020-04-24T15:12:11.217Z",
"created": "2020-04-24T15:12:11.217Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"external_references": [
{
"source_name": "SecurityIntelligence TrickMo",
"url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
"description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
}
],
"description": "[TrickMo](https://attack.mitre.org/software/S0427) can collect device information such as network operator, model, brand, and OS version.(Citation: SecurityIntelligence TrickMo)",
"relationship_type": "uses",
"id": "relationship--950e1476-83ca-4e81-b542-c91a19b206d7",
"type": "relationship",
"modified": "2020-04-24T17:46:31.466Z",
"created": "2020-04-24T17:46:31.466Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"external_references": [
{
"source_name": "SecurityIntelligence TrickMo",
"url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
"description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
}
],
"description": "[TrickMo](https://attack.mitre.org/software/S0427) can intercept SMS messages.(Citation: SecurityIntelligence TrickMo)",
"relationship_type": "uses",
"id": "relationship--4a77c56b-ed2c-4e43-bd0f-7acf9cce1952",
"type": "relationship",
"modified": "2020-09-11T15:57:37.828Z",
"created": "2020-04-24T17:46:31.564Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
"target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
"external_references": [
{
"source_name": "SecurityIntelligence TrickMo",
"url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
"description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
}
],
"description": "[TrickMo](https://attack.mitre.org/software/S0427) can use the `MediaRecorder` class to record the screen when the targeted application is presented to the user, and can abuse accessibility features to record targeted applications to intercept transaction authorization numbers (TANs) and to scrape on-screen text.(Citation: SecurityIntelligence TrickMo)",
"relationship_type": "uses",
"id": "relationship--b356d405-f6b1-485b-bd35-236b9da766d2",
"type": "relationship",
"modified": "2020-04-27T15:27:26.539Z",
"created": "2020-04-24T17:46:31.586Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"external_references": [
{
"source_name": "SecurityIntelligence TrickMo",
"url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
"description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
}
],
"description": "[TrickMo](https://attack.mitre.org/software/S0427) communicates with the C2 by sending JSON objects over unencrypted HTTP requests.(Citation: SecurityIntelligence TrickMo)",
"relationship_type": "uses",
"id": "relationship--2836dc3d-cbea-493b-af31-5f1fa8279ec2",
"type": "relationship",
"modified": "2020-04-24T17:46:31.589Z",
"created": "2020-04-24T17:46:31.589Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
"target_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"external_references": [
{
"source_name": "SecurityIntelligence TrickMo",
"url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
"description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
}
],
"description": "[TrickMo](https://attack.mitre.org/software/S0427) registers for the `SCREEN_ON` and `SMS_DELIVER` intents to perform actions when the device is unlocked and when the device receives an SMS message.(Citation: SecurityIntelligence TrickMo)",
"relationship_type": "uses",
"id": "relationship--022e941f-30c3-45a9-9f6f-36e704b80060",
"type": "relationship",
"modified": "2020-04-27T15:27:26.587Z",
"created": "2020-04-24T17:46:31.574Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"external_references": [
{
"source_name": "SecurityIntelligence TrickMo",
"url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
"description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
}
],
"description": "[TrickMo](https://attack.mitre.org/software/S0427) can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.(Citation: SecurityIntelligence TrickMo)",
"relationship_type": "uses",
"id": "relationship--15eccf44-e528-41fb-9cb8-834c8c0ca9d9",
"type": "relationship",
"modified": "2020-04-24T17:46:31.582Z",
"created": "2020-04-24T17:46:31.582Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
"target_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"external_references": [
{
"source_name": "SecurityIntelligence TrickMo",
"url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
"description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
}
],
"description": "[TrickMo](https://attack.mitre.org/software/S0427) can prevent the user from interacting with the UI by showing a WebView with a persistent cursor.(Citation: SecurityIntelligence TrickMo)",
"relationship_type": "uses",
"id": "relationship--22773074-4a95-48e0-905f-688ce048b5ed",
"type": "relationship",
"modified": "2020-04-27T15:27:26.605Z",
"created": "2020-04-24T17:46:31.593Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
"target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"external_references": [
{
"source_name": "SecurityIntelligence TrickMo",
"url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
"description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
}
],
"description": "[TrickMo](https://attack.mitre.org/software/S0427) can steal pictures from the device.(Citation: SecurityIntelligence TrickMo)",
"relationship_type": "uses",
"id": "relationship--d6f78e9b-94d1-4d59-b00e-89fad2261c55",
"type": "relationship",
"modified": "2020-04-24T17:46:31.603Z",
"created": "2020-04-24T17:46:31.603Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
"target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
"external_references": [
{
"source_name": "SecurityIntelligence TrickMo",
"url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
"description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
}
],
"description": "[TrickMo](https://attack.mitre.org/software/S0427) can inject input to set itself as the default SMS handler, and to automatically click through pop-ups without giving the user any time to react.(Citation: SecurityIntelligence TrickMo)",
"relationship_type": "uses",
"id": "relationship--740ea19e-d248-44e5-a0e5-3e9420df9dc8",
"type": "relationship",
"modified": "2020-04-24T17:46:31.613Z",
"created": "2020-04-24T17:46:31.613Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"external_references": [
{
"source_name": "SecurityIntelligence TrickMo",
"url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
"description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
}
],
"description": "[TrickMo](https://attack.mitre.org/software/S0427) contains obfuscated function, class, and variable names, and encrypts its shared preferences using Java\u2019s `PBEWithMD5AndDES` algorithm.(Citation: SecurityIntelligence TrickMo)",
"relationship_type": "uses",
"id": "relationship--fd5b3d4b-5d56-4d66-8b57-f858bc139901",
"type": "relationship",
"modified": "2020-04-24T17:46:31.607Z",
"created": "2020-04-24T17:46:31.607Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
"target_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"external_references": [
{
"source_name": "SecurityIntelligence TrickMo",
"url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
"description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
}
],
"description": "[TrickMo](https://attack.mitre.org/software/S0427) can be controlled via encrypted SMS message.(Citation: SecurityIntelligence TrickMo)",
"relationship_type": "uses",
"id": "relationship--7defdb15-65d1-40ca-a9da-5c0484892484",
"type": "relationship",
"modified": "2020-04-24T17:46:31.616Z",
"created": "2020-04-24T17:46:31.616Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
"target_ref": "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b",
"external_references": [
{
"source_name": "SecurityIntelligence TrickMo",
"url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
"description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
}
],
"description": "[TrickMo](https://attack.mitre.org/software/S0427) can detect if it is running on a rooted device or an emulator.(Citation: SecurityIntelligence TrickMo)",
"relationship_type": "uses",
"id": "relationship--ed3293cf-de4f-4a73-98af-24325e8187c9",
"type": "relationship",
"modified": "2020-04-24T17:46:31.598Z",
"created": "2020-04-24T17:46:31.598Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"external_references": [
{
"source_name": "SecurityIntelligence TrickMo",
"url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
"description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
}
],
"description": "[TrickMo](https://attack.mitre.org/software/S0427) can collect a list of installed applications.(Citation: SecurityIntelligence TrickMo)",
"relationship_type": "uses",
"id": "relationship--4efa4953-7854-4144-8837-d7831ccbe35d",
"type": "relationship",
"modified": "2020-04-24T17:46:31.691Z",
"created": "2020-04-24T17:46:31.691Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52",
"target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
"external_references": [
{
"source_name": "Google Triada June 2019",
"url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html",
"description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019."
}
],
"description": "[Triada](https://attack.mitre.org/software/S0424) encrypts data prior to exfiltration.(Citation: Google Triada June 2019) ",
"relationship_type": "uses",
"id": "relationship--b5f3b110-fc66-4369-89f3-621c945d655f",
"type": "relationship",
"modified": "2020-04-27T16:52:49.444Z",
"created": "2020-04-27T16:52:49.444Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb",
"relationship_type": "mitigates",
"description": "Application vetting services could look for the `native` keyword in function definitions. However, this is widely used for legitimate purposes, so this may not be feasible. Application vetting services may also be able to detect behaviors carried out through the Native Development Kit (NDK) via dynamic analysis.",
"id": "relationship--1fe03d39-31e0-4ecf-be7a-e14ec734b037",
"type": "relationship",
"modified": "2020-04-28T18:34:15.741Z",
"created": "2020-04-28T14:35:37.685Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5",
"relationship_type": "mitigates",
"description": "Application vetting services could look for use of the accessibility service or features that typically require root access.",
"id": "relationship--30c39439-27e9-4247-bf2c-e8d2d7fd3b6d",
"type": "relationship",
"modified": "2020-05-26T18:05:37.859Z",
"created": "2020-05-04T13:49:35.216Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c",
"target_ref": "attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5",
"relationship_type": "mitigates",
"description": "Attestation can detect rooted devices.",
"id": "relationship--9861a2c9-88b6-4e63-88d1-31cd574fd763",
"type": "relationship",
"modified": "2020-05-26T18:05:37.875Z",
"created": "2020-05-04T13:49:35.233Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5",
"relationship_type": "mitigates",
"description": "Security updates typically provide patches for vulnerabilities that enable device rooting.",
"id": "relationship--ff628c18-8abf-4add-a055-d38031ca940d",
"type": "relationship",
"modified": "2020-05-26T18:05:37.906Z",
"created": "2020-05-04T13:49:35.242Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5",
"relationship_type": "mitigates",
"description": "Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge.",
"id": "relationship--ab5e939b-bd6f-4301-b341-85e70965f193",
"type": "relationship",
"modified": "2020-05-26T18:05:37.918Z",
"created": "2020-05-04T13:49:35.249Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326",
"target_ref": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
"external_references": [
{
"source_name": "Google Bread",
"url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html",
"description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."
}
],
"description": "[Bread](https://attack.mitre.org/software/S0432) can perform SMS fraud on older versions of the malware, and toll fraud on newer versions.(Citation: Google Bread)",
"relationship_type": "uses",
"id": "relationship--b7a31a11-6c84-4c28-a548-4751e4d71134",
"type": "relationship",
"modified": "2020-05-04T15:40:21.086Z",
"created": "2020-05-04T14:04:56.158Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"external_references": [
{
"source_name": "Check Point-Joker",
"url": "https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/",
"description": "Hazum, A., Melnykov, B., Wernik, I.. (2020, July 9). New Joker variant hits Google Play with an old trick. Retrieved July 20, 2020."
},
{
"source_name": "Google Bread",
"url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html",
"description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."
}
],
"description": "[Bread](https://attack.mitre.org/software/S0432) uses various tricks to obfuscate its strings including standard and custom encryption, programmatically building strings at runtime, and splitting unencrypted strings with repeated delimiters to break up keywords. [Bread](https://attack.mitre.org/software/S0432) has also abused Java and JavaScript features to obfuscate code. [Bread](https://attack.mitre.org/software/S0432) payloads have used several commercially available packers as well as hiding code in native libraries and encrypted JAR files in the data section of an ELF file. [Bread](https://attack.mitre.org/software/S0432) has stored DEX payloads as base64-encoded strings in the Android manifest and internal Java classes.(Citation: Check Point-Joker)(Citation: Google Bread)",
"relationship_type": "uses",
"id": "relationship--0b1e5e78-9ee1-4fc3-9fe7-dc069b59e77d",
"type": "relationship",
"modified": "2020-07-20T14:12:15.627Z",
"created": "2020-05-04T14:04:56.179Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"external_references": [
{
"source_name": "Google Bread",
"url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html",
"description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."
}
],
"description": "[Bread](https://attack.mitre.org/software/S0432) can access SMS messages in order to complete carrier billing fraud.(Citation: Google Bread)",
"relationship_type": "uses",
"id": "relationship--1d828f51-1c04-466c-beaf-2d4de741a544",
"type": "relationship",
"modified": "2020-05-04T15:40:21.089Z",
"created": "2020-05-04T14:04:56.184Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"external_references": [
{
"source_name": "Google Bread",
"url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html",
"description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."
}
],
"description": "[Bread](https://attack.mitre.org/software/S0432) collects the device\u2019s IMEI, carrier, mobile country code, and mobile network code.(Citation: Google Bread)",
"relationship_type": "uses",
"id": "relationship--86e3c37c-1e4a-450c-850b-c80be8156fe3",
"type": "relationship",
"modified": "2020-05-04T15:40:21.081Z",
"created": "2020-05-04T14:04:56.189Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"external_references": [
{
"source_name": "Google Bread",
"url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html",
"description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."
}
],
"description": "[Bread](https://attack.mitre.org/software/S0432) communicates with the C2 server using HTTP requests.(Citation: Google Bread)",
"relationship_type": "uses",
"id": "relationship--9cfcda7d-bb82-4122-a38b-fec4f5532856",
"type": "relationship",
"modified": "2020-05-04T15:40:21.069Z",
"created": "2020-05-04T14:04:56.211Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326",
"target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb",
"external_references": [
{
"source_name": "Google Bread",
"url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html",
"description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."
}
],
"description": "[Bread](https://attack.mitre.org/software/S0432) has used native code in an attempt to disguise malicious functionality.(Citation: Google Bread)",
"relationship_type": "uses",
"id": "relationship--c49cdcb7-3cb8-40ed-a745-0cebad20b1fd",
"type": "relationship",
"modified": "2020-05-04T15:40:21.076Z",
"created": "2020-05-04T14:04:56.214Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"external_references": [
{
"source_name": "Google Bread",
"url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html",
"description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."
}
],
"description": "[Bread](https://attack.mitre.org/software/S0432) has utilized JavaScript within WebViews that loaded a URL hosted on a Bread-controlled server which provided functions to run. [Bread](https://attack.mitre.org/software/S0432) downloads billing fraud execution steps at runtime.(Citation: Google Bread)",
"relationship_type": "uses",
"id": "relationship--1f8b1ee1-e44b-4a37-a407-5cbceba35d87",
"type": "relationship",
"modified": "2020-05-04T15:40:21.305Z",
"created": "2020-05-04T14:04:56.217Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
"target_ref": "attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5",
"external_references": [
{
"source_name": "SecurityIntelligence TrickMo",
"url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
"description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
}
],
"description": "[TrickMo](https://attack.mitre.org/software/S0427) can uninstall itself from a device on command by abusing the accessibility service.(Citation: SecurityIntelligence TrickMo) ",
"relationship_type": "uses",
"id": "relationship--4f812a57-efdc-463b-bf37-baa4bca7502b",
"type": "relationship",
"modified": "2020-05-06T13:44:45.334Z",
"created": "2020-05-04T14:22:20.348Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326",
"target_ref": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69",
"external_references": [
{
"source_name": "Google Bread",
"url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html",
"description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."
}
],
"description": "[Bread](https://attack.mitre.org/software/S0432) had many fake reviews and ratings on the Play Store.(Citation: Google Bread) ",
"relationship_type": "uses",
"id": "relationship--fb1fe91d-0997-4403-b2a6-88400f174791",
"type": "relationship",
"modified": "2020-05-07T15:06:51.458Z",
"created": "2020-05-07T15:06:51.458Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"external_references": [
{
"source_name": "Google Bread",
"url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html",
"description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."
}
],
"description": " [Bread](https://attack.mitre.org/software/S0432) has been distributed through the Play Store. Some versions started off as clean to build a userbase and developer reputation. These versions were then updated to introduce malicious code.(Citation: Google Bread) ",
"relationship_type": "uses",
"id": "relationship--b8be7302-e02c-4ca8-927b-0460558a0441",
"type": "relationship",
"modified": "2020-05-07T15:11:36.673Z",
"created": "2020-05-07T15:11:36.673Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c",
"relationship_type": "mitigates",
"description": "Application vetting services could look for attempted usage of the Janus vulnerability.",
"id": "relationship--d110c0b7-7187-4a0e-99c4-f64d8f9a3f99",
"type": "relationship",
"modified": "2020-05-27T13:23:34.509Z",
"created": "2020-05-07T15:24:49.520Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c",
"relationship_type": "mitigates",
"description": "Security updates frequently contain patches to vulnerabilities.",
"id": "relationship--45253350-c802-4566-a72d-57d43d05fd63",
"type": "relationship",
"modified": "2020-05-27T13:23:34.536Z",
"created": "2020-05-07T15:24:49.530Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c",
"relationship_type": "mitigates",
"description": "Many vulnerabilities related to injecting code into existing applications have been patched in previous Android releases.",
"id": "relationship--d84604bc-2314-4340-b9c1-b1265c0f6c37",
"type": "relationship",
"modified": "2020-05-27T13:23:34.544Z",
"created": "2020-05-07T15:24:49.583Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"external_references": [
{
"source_name": "CheckPoint Agent Smith",
"url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/",
"description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."
}
],
"description": "[Agent Smith](https://attack.mitre.org/software/S0440) exploits known OS vulnerabilities, including Janus, to replace legitimate applications with malicious versions.(Citation: CheckPoint Agent Smith)",
"relationship_type": "uses",
"id": "relationship--96490f73-d8ef-4c6b-9a3a-3c66fc963306",
"type": "relationship",
"modified": "2020-05-07T15:33:32.778Z",
"created": "2020-05-07T15:33:32.778Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637",
"target_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
"external_references": [
{
"source_name": "CheckPoint Agent Smith",
"url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/",
"description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."
}
],
"description": "[Agent Smith](https://attack.mitre.org/software/S0440) shows fraudulent ads to generate revenue.(Citation: CheckPoint Agent Smith)",
"relationship_type": "uses",
"id": "relationship--4de3f794-63df-4f9e-8bd8-59796d91aa36",
"type": "relationship",
"modified": "2020-05-07T15:33:32.895Z",
"created": "2020-05-07T15:33:32.895Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637",
"target_ref": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
"external_references": [
{
"source_name": "CheckPoint Agent Smith",
"url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/",
"description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."
}
],
"description": "[Agent Smith](https://attack.mitre.org/software/S0440) deletes infected applications\u2019 update packages when they are detected on the system, preventing updates.(Citation: CheckPoint Agent Smith)",
"relationship_type": "uses",
"id": "relationship--8634a732-1c5e-4931-a24f-cdcc2f81c788",
"type": "relationship",
"modified": "2020-05-07T15:33:32.903Z",
"created": "2020-05-07T15:33:32.903Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637",
"target_ref": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2",
"external_references": [
{
"source_name": "CheckPoint Agent Smith",
"url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/",
"description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."
}
],
"description": "[Agent Smith](https://attack.mitre.org/software/S0440) can hide its icon from the application launcher.(Citation: CheckPoint Agent Smith)",
"relationship_type": "uses",
"id": "relationship--7d6bba99-ea81-42bc-b02a-e5e98b34a688",
"type": "relationship",
"modified": "2020-05-07T15:33:32.910Z",
"created": "2020-05-07T15:33:32.910Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"external_references": [
{
"source_name": "CheckPoint Agent Smith",
"url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/",
"description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."
}
],
"description": "[Agent Smith](https://attack.mitre.org/software/S0440) can impersonate any popular application on an infected device, and the core malware disguises itself as a legitimate Google application. [Agent Smith](https://attack.mitre.org/software/S0440)'s dropper is a weaponized legitimate Feng Shui Bundle.(Citation: CheckPoint Agent Smith) ",
"relationship_type": "uses",
"id": "relationship--41e58a79-f8e4-4929-82ad-e15ce384f7a1",
"type": "relationship",
"modified": "2020-05-11T16:13:43.150Z",
"created": "2020-05-07T15:33:32.921Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637",
"target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c",
"external_references": [
{
"source_name": "CheckPoint Agent Smith",
"url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/",
"description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."
}
],
"description": "[Agent Smith](https://attack.mitre.org/software/S0440) can inject fraudulent ad modules into existing applications on a device.(Citation: CheckPoint Agent Smith)",
"relationship_type": "uses",
"id": "relationship--e29d91f0-ebee-481d-9344-702c90775109",
"type": "relationship",
"modified": "2020-05-07T15:33:32.928Z",
"created": "2020-05-07T15:33:32.928Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"external_references": [
{
"source_name": "CheckPoint Agent Smith",
"url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/",
"description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."
}
],
"description": "[Agent Smith](https://attack.mitre.org/software/S0440)\u2019s core malware is disguised as a JPG file, and encrypted with an XOR cipher.(Citation: CheckPoint Agent Smith)",
"relationship_type": "uses",
"id": "relationship--f5d24a31-53d2-4e84-9110-2da0582132cb",
"type": "relationship",
"modified": "2020-05-07T15:33:32.936Z",
"created": "2020-05-07T15:33:32.936Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"external_references": [
{
"source_name": "CheckPoint Agent Smith",
"url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/",
"description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."
}
],
"description": "[Agent Smith](https://attack.mitre.org/software/S0440) obtains the device\u2019s application list.(Citation: CheckPoint Agent Smith)",
"relationship_type": "uses",
"id": "relationship--6a821e14-8247-408b-af37-9cecbba616ec",
"type": "relationship",
"modified": "2020-05-07T15:33:32.945Z",
"created": "2020-05-07T15:33:32.945Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637",
"target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
"external_references": [
{
"source_name": "CheckPoint Agent Smith",
"url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/",
"description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."
}
],
"description": "[Agent Smith](https://attack.mitre.org/software/S0440) checks if a targeted application is running in user-space prior to infection.(Citation: CheckPoint Agent Smith) ",
"relationship_type": "uses",
"id": "relationship--5107be8a-b5fc-4442-af0d-2c92e086a912",
"type": "relationship",
"modified": "2020-05-11T16:13:43.062Z",
"created": "2020-05-11T16:13:43.062Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"external_references": [
{
"source_name": "CheckPoint Agent Smith",
"url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/",
"description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."
}
],
"description": "[Agent Smith](https://attack.mitre.org/software/S0440) has been distributed through the 9apps app store.(Citation: CheckPoint Agent Smith) ",
"relationship_type": "uses",
"id": "relationship--e723fde7-7fa9-4ac8-a8ec-3fcbf097dbc8",
"type": "relationship",
"modified": "2020-05-11T16:13:43.111Z",
"created": "2020-05-11T16:13:43.111Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
"target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
"external_references": [
{
"description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.",
"url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html",
"source_name": "ThreatFabric Ginp"
}
],
"description": " [Ginp](https://attack.mitre.org/software/S0423) can inject input to make itself the default SMS handler.(Citation: ThreatFabric Ginp) ",
"relationship_type": "uses",
"id": "relationship--43a62244-29f1-4f7f-bc9f-9b7b8e488b38",
"type": "relationship",
"modified": "2020-05-11T16:37:36.616Z",
"created": "2020-05-11T16:37:36.616Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
"target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"external_references": [
{
"description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.",
"url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html",
"source_name": "ThreatFabric Ginp"
}
],
"description": " [Ginp](https://attack.mitre.org/software/S0423) can download device logs.(Citation: ThreatFabric Ginp) ",
"relationship_type": "uses",
"id": "relationship--f240e06c-3a5b-4a34-a69c-5fccb4c94150",
"type": "relationship",
"modified": "2020-05-11T16:37:36.673Z",
"created": "2020-05-11T16:37:36.673Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
"target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
"external_references": [
{
"source_name": "Volexity Insomnia",
"url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/",
"description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020."
}
],
"description": "[INSOMNIA](https://attack.mitre.org/software/S0463) has utilized malicious JavaScript and iframes to exploit WebKit running on vulnerable iOS 12 devices.(Citation: Volexity Insomnia)",
"relationship_type": "uses",
"id": "relationship--fc816ddc-199d-47b0-93af-c81305d0919f",
"type": "relationship",
"modified": "2020-06-02T14:32:31.767Z",
"created": "2020-06-02T14:32:31.767Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"external_references": [
{
"source_name": "Volexity Insomnia",
"url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/",
"description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020."
}
],
"description": "[INSOMNIA](https://attack.mitre.org/software/S0463) exploits a WebKit vulnerability to achieve root access on the device.(Citation: Volexity Insomnia)",
"relationship_type": "uses",
"id": "relationship--0bb6f851-4302-4936-a98e-d23feecb234d",
"type": "relationship",
"modified": "2020-06-02T14:32:31.777Z",
"created": "2020-06-02T14:32:31.777Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
"target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"external_references": [
{
"source_name": "Google Project Zero Insomnia",
"url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html",
"description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020."
}
],
"description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect application database files, including Gmail, Hangouts, device photos, and container directories of third-party apps.(Citation: Google Project Zero Insomnia)",
"relationship_type": "uses",
"id": "relationship--b9af8369-a6b2-4081-9f07-2ee15d56bffc",
"type": "relationship",
"modified": "2020-06-24T18:24:35.795Z",
"created": "2020-06-02T14:32:31.871Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"external_references": [
{
"source_name": "Google Project Zero Insomnia",
"url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html",
"description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020."
}
],
"description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device\u2019s name, serial number, iOS version, total disk space, and free disk space.(Citation: Google Project Zero Insomnia) ",
"relationship_type": "uses",
"id": "relationship--0993769f-63fb-4720-bbcf-e6f37f71515e",
"type": "relationship",
"modified": "2020-06-02T14:32:31.875Z",
"created": "2020-06-02T14:32:31.875Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"external_references": [
{
"source_name": "Google Project Zero Insomnia",
"url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html",
"description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020."
}
],
"description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can obtain a list of installed non-Apple applications.(Citation: Google Project Zero Insomnia)",
"relationship_type": "uses",
"id": "relationship--6a715733-cde6-4903-b967-35562b584c6f",
"type": "relationship",
"modified": "2020-06-02T14:32:31.878Z",
"created": "2020-06-02T14:32:31.878Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"external_references": [
{
"source_name": "Google Project Zero Insomnia",
"url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html",
"description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020."
}
],
"description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can track the device\u2019s location.(Citation: Google Project Zero Insomnia)",
"relationship_type": "uses",
"id": "relationship--0ef4845d-994e-4f0d-9eed-7cf600fc03b4",
"type": "relationship",
"modified": "2020-06-02T14:32:31.885Z",
"created": "2020-06-02T14:32:31.885Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"external_references": [
{
"source_name": "Volexity Insomnia",
"url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/",
"description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020."
}
],
"description": "[INSOMNIA](https://attack.mitre.org/software/S0463) obfuscates various pieces of information within the application.(Citation: Volexity Insomnia) ",
"relationship_type": "uses",
"id": "relationship--2e59d381-eac6-41c6-a5e6-f9617c10259e",
"type": "relationship",
"modified": "2020-06-02T14:32:31.888Z",
"created": "2020-06-02T14:32:31.888Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"external_references": [
{
"source_name": "Google Project Zero Insomnia",
"url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html",
"description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020."
}
],
"description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device\u2019s contact list.(Citation: Google Project Zero Insomnia)",
"relationship_type": "uses",
"id": "relationship--875dc21d-92c3-45bf-be37-faa44f4449bf",
"type": "relationship",
"modified": "2020-06-02T14:32:31.891Z",
"created": "2020-06-02T14:32:31.891Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"external_references": [
{
"source_name": "Google Project Zero Insomnia",
"url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html",
"description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020."
}
],
"description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can retrieve SMS messages and iMessages.(Citation: Google Project Zero Insomnia)",
"relationship_type": "uses",
"id": "relationship--5706742b-733d-44e9-a032-62b81ba05bcf",
"type": "relationship",
"modified": "2020-06-02T14:32:31.897Z",
"created": "2020-06-02T14:32:31.897Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
"target_ref": "attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa",
"external_references": [
{
"source_name": "Google Project Zero Insomnia",
"url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html",
"description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020."
}
],
"description": "[INSOMNIA](https://attack.mitre.org/software/S0463) grants itself permissions by injecting its hash into the kernel\u2019s trust cache.(Citation: Google Project Zero Insomnia)",
"relationship_type": "uses",
"id": "relationship--269d4409-e287-4ef3-b5f3-765ec03e503e",
"type": "relationship",
"modified": "2020-06-02T14:32:31.900Z",
"created": "2020-06-02T14:32:31.900Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"external_references": [
{
"source_name": "Google Project Zero Insomnia",
"url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html",
"description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020."
}
],
"description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can retrieve the call history.(Citation: Google Project Zero Insomnia)",
"relationship_type": "uses",
"id": "relationship--891edea2-817c-4eeb-9991-b6e095c269a8",
"type": "relationship",
"modified": "2020-06-02T14:32:31.903Z",
"created": "2020-06-02T14:32:31.903Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
"target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
"external_references": [
{
"source_name": "Volexity Insomnia",
"url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/",
"description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020."
}
],
"description": "[INSOMNIA](https://attack.mitre.org/software/S0463) has communicated with the C2 over TCP ports 43111, 43223, and 43773.(Citation: Volexity Insomnia)",
"relationship_type": "uses",
"id": "relationship--81e1311e-4fe1-4177-ae12-1d50037c5e4f",
"type": "relationship",
"modified": "2020-06-02T14:32:31.906Z",
"created": "2020-06-02T14:32:31.906Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"external_references": [
{
"source_name": "Google Project Zero Insomnia",
"url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html",
"description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020."
}
],
"description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device\u2019s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).(Citation: Google Project Zero Insomnia)",
"relationship_type": "uses",
"id": "relationship--61550ef4-41f0-4354-af5c-f47db8aca654",
"type": "relationship",
"modified": "2020-06-02T14:32:31.910Z",
"created": "2020-06-02T14:32:31.910Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"external_references": [
{
"source_name": "Volexity Insomnia",
"url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/",
"description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020."
}
],
"description": "[INSOMNIA](https://attack.mitre.org/software/S0463) communicates with the C2 server using HTTPS requests.(Citation: Volexity Insomnia)",
"relationship_type": "uses",
"id": "relationship--abf03652-acd0-4361-8a66-f7e70e8e4376",
"type": "relationship",
"modified": "2020-06-24T18:24:35.892Z",
"created": "2020-06-02T14:32:31.913Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38",
"relationship_type": "mitigates",
"description": "Application vetting services may be able to detect known privilege escalation exploits contained within applications.",
"id": "relationship--a32a8f00-8168-4aed-a928-4c107cda3328",
"type": "relationship",
"modified": "2020-06-24T19:02:46.750Z",
"created": "2020-06-24T17:33:50.593Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38",
"relationship_type": "mitigates",
"description": "Apple regularly provides security updates for known OS vulnerabilities.",
"id": "relationship--f97e3b5d-531d-4d06-b876-baf9a43aa01c",
"type": "relationship",
"modified": "2020-06-24T19:02:46.791Z",
"created": "2020-06-24T17:33:50.610Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38",
"relationship_type": "mitigates",
"description": "Newer OS releases typically patch known root exploits disclosed in previous versions.",
"id": "relationship--32d0832c-be5e-4939-a25a-a448cd679225",
"type": "relationship",
"modified": "2020-06-24T19:02:46.800Z",
"created": "2020-06-24T17:33:50.612Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433",
"target_ref": "attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38",
"relationship_type": "mitigates",
"description": "Mobile security products can potentially detect jailbroken devices and take responsive action.",
"id": "relationship--3b5d6c4f-1669-47d9-84fc-8af0adce2a29",
"type": "relationship",
"modified": "2020-06-24T19:02:46.794Z",
"created": "2020-06-24T17:33:50.614Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
"target_ref": "attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38",
"external_references": [
{
"source_name": "Google Project Zero Insomnia",
"url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html",
"description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020."
}
],
"description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can extract the device\u2019s keychain.(Citation: Google Project Zero Insomnia)",
"relationship_type": "uses",
"id": "relationship--c720fd30-5694-42b7-bf77-d948f7ba2b6f",
"type": "relationship",
"modified": "2020-06-24T18:24:35.707Z",
"created": "2020-06-24T18:24:35.707Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"external_references": [
{
"source_name": "Cybereason EventBot",
"url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
"description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."
}
],
"description": "[EventBot](https://attack.mitre.org/software/S0478) can collect system information such as OS version, device vendor, and the type of screen lock that is active on the device.(Citation: Cybereason EventBot)",
"relationship_type": "uses",
"id": "relationship--92c9106d-a71b-4a4f-a9d4-ef692a0294eb",
"type": "relationship",
"modified": "2020-06-26T14:55:13.261Z",
"created": "2020-06-26T14:55:13.261Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
"target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
"external_references": [
{
"source_name": "Cybereason EventBot",
"url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
"description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."
}
],
"description": "[EventBot](https://attack.mitre.org/software/S0478) can abuse Android\u2019s accessibility service to capture data from installed applications.(Citation: Cybereason EventBot)",
"relationship_type": "uses",
"id": "relationship--a32db277-593f-4fd1-bdcb-9f677b1a05e1",
"type": "relationship",
"modified": "2020-06-26T14:55:13.289Z",
"created": "2020-06-26T14:55:13.289Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"external_references": [
{
"source_name": "Cybereason EventBot",
"url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
"description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."
}
],
"description": "[EventBot](https://attack.mitre.org/software/S0478) can display popups over running applications.(Citation: Cybereason EventBot)",
"relationship_type": "uses",
"id": "relationship--3fd2785f-f0eb-4aa9-8a10-e1c9a88b372a",
"type": "relationship",
"modified": "2020-06-26T14:55:13.304Z",
"created": "2020-06-26T14:55:13.304Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"external_references": [
{
"source_name": "Cybereason EventBot",
"url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
"description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."
}
],
"description": "[EventBot](https://attack.mitre.org/software/S0478) can gather device network information.(Citation: Cybereason EventBot) ",
"relationship_type": "uses",
"id": "relationship--529107fd-6420-4573-8dbf-cdcd49c2708c",
"type": "relationship",
"modified": "2020-06-26T14:55:13.307Z",
"created": "2020-06-26T14:55:13.307Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"external_references": [
{
"source_name": "Cybereason EventBot",
"url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
"description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."
}
],
"description": "[EventBot](https://attack.mitre.org/software/S0478) can intercept SMS messages.(Citation: Cybereason EventBot)",
"relationship_type": "uses",
"id": "relationship--36268322-9f5e-4749-8760-6430178a3d68",
"type": "relationship",
"modified": "2020-06-26T14:55:13.311Z",
"created": "2020-06-26T14:55:13.311Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"external_references": [
{
"source_name": "Cybereason EventBot",
"url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
"description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."
}
],
"description": "[EventBot](https://attack.mitre.org/software/S0478) has used icons from popular applications.(Citation: Cybereason EventBot)",
"relationship_type": "uses",
"id": "relationship--108e8cb9-8f35-4b63-8b0b-466f4ab0ed02",
"type": "relationship",
"modified": "2020-06-26T14:55:13.313Z",
"created": "2020-06-26T14:55:13.313Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
"target_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"external_references": [
{
"source_name": "Cybereason EventBot",
"url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
"description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."
}
],
"description": "[EventBot](https://attack.mitre.org/software/S0478) registers for the `BOOT_COMPLETED` intent to auto-start after the device boots.(Citation: Cybereason EventBot)",
"relationship_type": "uses",
"id": "relationship--fcda686d-0c3a-457a-a34d-6dcfb28f54bd",
"type": "relationship",
"modified": "2020-06-26T14:55:13.333Z",
"created": "2020-06-26T14:55:13.333Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
"target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84",
"external_references": [
{
"source_name": "Cybereason EventBot",
"url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
"description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."
}
],
"description": "[EventBot](https://attack.mitre.org/software/S0478) has encrypted base64-encoded payload data using RC4 and Curve25519.(Citation: Cybereason EventBot)",
"relationship_type": "uses",
"id": "relationship--03172b09-4f97-4fb8-95f0-92b2d8957408",
"type": "relationship",
"modified": "2020-06-26T14:55:13.349Z",
"created": "2020-06-26T14:55:13.349Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"external_references": [
{
"source_name": "Cybereason EventBot",
"url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
"description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."
}
],
"description": "[EventBot](https://attack.mitre.org/software/S0478) can collect a list of installed applications.(Citation: Cybereason EventBot)",
"relationship_type": "uses",
"id": "relationship--5a2bff26-f5e5-41f9-b3da-a558988ef3f3",
"type": "relationship",
"modified": "2020-06-26T14:55:13.351Z",
"created": "2020-06-26T14:55:13.351Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"external_references": [
{
"source_name": "Cybereason EventBot",
"url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
"description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."
}
],
"description": "[EventBot](https://attack.mitre.org/software/S0478) dynamically loads its malicious functionality at runtime from an RC4-encrypted TTF file. [EventBot](https://attack.mitre.org/software/S0478) also utilizes ProGuard to obfuscate the generated APK file.(Citation: Cybereason EventBot)",
"relationship_type": "uses",
"id": "relationship--bed52256-e5d2-4f15-8c4c-27f709e10c6c",
"type": "relationship",
"modified": "2020-06-26T14:55:13.380Z",
"created": "2020-06-26T14:55:13.380Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"external_references": [
{
"source_name": "Cybereason EventBot",
"url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
"description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."
}
],
"description": "[EventBot](https://attack.mitre.org/software/S0478) communicates with the C2 using HTTP requests.(Citation: Cybereason EventBot)",
"relationship_type": "uses",
"id": "relationship--0e9968b7-ad1e-440d-9fe3-2599a1571f39",
"type": "relationship",
"modified": "2020-06-26T14:55:13.387Z",
"created": "2020-06-26T14:55:13.387Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"external_references": [
{
"source_name": "Cybereason EventBot",
"url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
"description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."
}
],
"description": "[EventBot](https://attack.mitre.org/software/S0478) can download new libraries when instructed to.(Citation: Cybereason EventBot)",
"relationship_type": "uses",
"id": "relationship--14474366-938a-4359-bf24-e2c718adfaf5",
"type": "relationship",
"modified": "2020-06-26T14:55:13.382Z",
"created": "2020-06-26T14:55:13.382Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
"target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
"external_references": [
{
"source_name": "Cybereason EventBot",
"url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
"description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."
}
],
"description": "[EventBot](https://attack.mitre.org/software/S0478) can abuse Android\u2019s accessibility service to record the screen PIN.(Citation: Cybereason EventBot)",
"relationship_type": "uses",
"id": "relationship--df036f55-f749-4dad-9473-d69535e0f98d",
"type": "relationship",
"modified": "2020-06-26T14:55:13.385Z",
"created": "2020-06-26T14:55:13.385Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"external_references": [
{
"source_name": "ESET DEFENSOR ID",
"url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/",
"description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020."
}
],
"description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) was delivered via the Google Play Store.(Citation: ESET DEFENSOR ID)",
"relationship_type": "uses",
"id": "relationship--525211c1-6c8c-4d0c-899e-c31664c9629e",
"type": "relationship",
"modified": "2020-06-26T15:12:40.074Z",
"created": "2020-06-26T15:12:40.074Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663",
"target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
"external_references": [
{
"source_name": "ESET DEFENSOR ID",
"url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/",
"description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020."
}
],
"description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) can abuse the accessibility service to read any text displayed on the screen.(Citation: ESET DEFENSOR ID)",
"relationship_type": "uses",
"id": "relationship--0a737289-c62d-4c0a-a857-6d116f774864",
"type": "relationship",
"modified": "2020-06-26T15:12:40.077Z",
"created": "2020-06-26T15:12:40.077Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663",
"target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
"external_references": [
{
"source_name": "ESET DEFENSOR ID",
"url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/",
"description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020."
}
],
"description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) can abuse the accessibility service to perform actions on behalf of the user, including launching attacker-specified applications to steal data.(Citation: ESET DEFENSOR ID)",
"relationship_type": "uses",
"id": "relationship--1577a79c-5f70-41cc-95bd-2407cfd1acbd",
"type": "relationship",
"modified": "2020-06-26T15:12:40.094Z",
"created": "2020-06-26T15:12:40.094Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"external_references": [
{
"source_name": "ESET DEFENSOR ID",
"url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/",
"description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020."
}
],
"description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) can retrieve a list of installed applications.(Citation: ESET DEFENSOR ID)",
"relationship_type": "uses",
"id": "relationship--6f30b02b-5d88-453d-af1e-305a75bfaf87",
"type": "relationship",
"modified": "2020-06-26T15:12:40.098Z",
"created": "2020-06-26T15:12:40.098Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663",
"target_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"external_references": [
{
"source_name": "ESET DEFENSOR ID",
"url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/",
"description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020."
}
],
"description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) abuses the accessibility service to auto-start the malware on device boot. This is accomplished by receiving the `android.accessibilityservice.AccessibilityService` intent.(Citation: ESET DEFENSOR ID)",
"relationship_type": "uses",
"id": "relationship--c89f8f8d-222b-4b83-9fa4-47fd716a271f",
"type": "relationship",
"modified": "2020-06-26T15:12:40.100Z",
"created": "2020-06-26T15:12:40.100Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
"target_ref": "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b",
"external_references": [
{
"source_name": "Threat Fabric Cerberus",
"url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
"description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
}
],
"description": "[Cerberus](https://attack.mitre.org/software/S0480) avoids being analyzed by only activating the malware after recording a certain number of steps from the accelerometer.(Citation: Threat Fabric Cerberus)",
"relationship_type": "uses",
"id": "relationship--42624ee9-1bf5-46aa-87d0-9fda0de9a06e",
"type": "relationship",
"modified": "2020-06-26T15:32:24.921Z",
"created": "2020-06-26T15:32:24.921Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"external_references": [
{
"source_name": "Threat Fabric Cerberus",
"url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
"description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
}
],
"description": "[Cerberus](https://attack.mitre.org/software/S0480) uses standard payload and string obfuscation techniques.(Citation: Threat Fabric Cerberus)",
"relationship_type": "uses",
"id": "relationship--386b0a9f-9951-4717-8bce-30c8fbe05050",
"type": "relationship",
"modified": "2020-06-26T15:32:24.955Z",
"created": "2020-06-26T15:32:24.955Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
"target_ref": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2",
"external_references": [
{
"source_name": "Threat Fabric Cerberus",
"url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
"description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
}
],
"description": "[Cerberus](https://attack.mitre.org/software/S0480) hides its icon from the application drawer after being launched for the first time.(Citation: Threat Fabric Cerberus)",
"relationship_type": "uses",
"id": "relationship--1e29a9ce-ed11-44ae-b66e-8b90ee79de6a",
"type": "relationship",
"modified": "2020-06-26T15:32:24.962Z",
"created": "2020-06-26T15:32:24.962Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
"target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
"external_references": [
{
"source_name": "Threat Fabric Cerberus",
"url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
"description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
}
],
"description": "[Cerberus](https://attack.mitre.org/software/S0480) can record keystrokes.(Citation: Threat Fabric Cerberus)",
"relationship_type": "uses",
"id": "relationship--f2d05b16-3565-453e-9fbb-1c02146e17e1",
"type": "relationship",
"modified": "2020-06-26T15:32:25.002Z",
"created": "2020-06-26T15:32:25.002Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"external_references": [
{
"source_name": "Threat Fabric Cerberus",
"url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
"description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
}
],
"description": "[Cerberus](https://attack.mitre.org/software/S0480) can obtain the device\u2019s contact list.(Citation: Threat Fabric Cerberus)",
"relationship_type": "uses",
"id": "relationship--437f719c-d602-4cb8-a2b9-c33e85ad7c50",
"type": "relationship",
"modified": "2020-06-26T15:32:25.025Z",
"created": "2020-06-26T15:32:25.025Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"external_references": [
{
"source_name": "Threat Fabric Cerberus",
"url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
"description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
}
],
"description": "[Cerberus](https://attack.mitre.org/software/S0480) can generate fake notifications and launch overlay attacks against attacker-specified applications.(Citation: Threat Fabric Cerberus)",
"relationship_type": "uses",
"id": "relationship--60e2ebd0-90dc-4131-ba4f-adc9b49ec113",
"type": "relationship",
"modified": "2020-06-26T15:32:25.032Z",
"created": "2020-06-26T15:32:25.032Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"external_references": [
{
"source_name": "Threat Fabric Cerberus",
"url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
"description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
},
{
"source_name": "CheckPoint Cerberus",
"url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/",
"description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild \u2013 Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020."
}
],
"description": "[Cerberus](https://attack.mitre.org/software/S0480) can collect device information, such as the default SMS app and device locale.(Citation: Threat Fabric Cerberus)(Citation: CheckPoint Cerberus)",
"relationship_type": "uses",
"id": "relationship--ad0c873b-9e45-44e0-adaf-529921ee7a77",
"type": "relationship",
"modified": "2020-06-26T15:32:25.035Z",
"created": "2020-06-26T15:32:25.035Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
"target_ref": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2",
"external_references": [
{
"source_name": "Threat Fabric Cerberus",
"url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
"description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
}
],
"description": "[Cerberus](https://attack.mitre.org/software/S0480) disables Google Play Protect to prevent its discovery and deletion in the future.(Citation: Threat Fabric Cerberus)",
"relationship_type": "uses",
"id": "relationship--7b611c76-0ea1-49c5-9b9a-2e504a0bbe14",
"type": "relationship",
"modified": "2020-06-26T20:26:49.157Z",
"created": "2020-06-26T15:32:25.043Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"external_references": [
{
"source_name": "Threat Fabric Cerberus",
"url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
"description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
}
],
"description": "[Cerberus](https://attack.mitre.org/software/S0480) can collect SMS messages from a device.(Citation: Threat Fabric Cerberus)",
"relationship_type": "uses",
"id": "relationship--58c15bce-1593-4be1-ae56-7e7b2634fc56",
"type": "relationship",
"modified": "2020-09-11T15:43:49.393Z",
"created": "2020-06-26T15:32:25.045Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"external_references": [
{
"source_name": "Threat Fabric Cerberus",
"url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
"description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
}
],
"description": "[Cerberus](https://attack.mitre.org/software/S0480) can collect the device\u2019s location.(Citation: Threat Fabric Cerberus)",
"relationship_type": "uses",
"id": "relationship--70fa8498-6117-4e15-ae3c-f53d63996826",
"type": "relationship",
"modified": "2020-06-26T15:32:25.050Z",
"created": "2020-06-26T15:32:25.050Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
"target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
"external_references": [
{
"source_name": "Threat Fabric Cerberus",
"url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
"description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
},
{
"source_name": "CheckPoint Cerberus",
"url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/",
"description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild \u2013 Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020."
}
],
"description": "[Cerberus](https://attack.mitre.org/software/S0480) can inject input to grant itself additional permissions without user interaction and to prevent application removal.(Citation: Threat Fabric Cerberus)(Citation: CheckPoint Cerberus)",
"relationship_type": "uses",
"id": "relationship--f776a4da-0fa6-414c-a705-e9e8b419e056",
"type": "relationship",
"modified": "2020-06-26T15:32:25.058Z",
"created": "2020-06-26T15:32:25.058Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
"target_ref": "attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5",
"external_references": [
{
"source_name": "Threat Fabric Cerberus",
"url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
"description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
}
],
"description": "[Cerberus](https://attack.mitre.org/software/S0480) can uninstall itself from a device on command.(Citation: Threat Fabric Cerberus)",
"relationship_type": "uses",
"id": "relationship--e7b33eb5-6c2e-4743-ac8d-c27d5e7121ac",
"type": "relationship",
"modified": "2020-06-26T15:32:25.060Z",
"created": "2020-06-26T15:32:25.060Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"external_references": [
{
"source_name": "Threat Fabric Cerberus",
"url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
"description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
}
],
"description": "[Cerberus](https://attack.mitre.org/software/S0480) can obtain a list of installed applications.(Citation: Threat Fabric Cerberus)",
"relationship_type": "uses",
"id": "relationship--b24553a7-01c7-49b2-b1e0-fb961e788de2",
"type": "relationship",
"modified": "2020-06-26T15:32:25.062Z",
"created": "2020-06-26T15:32:25.062Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"external_references": [
{
"source_name": "Threat Fabric Cerberus",
"url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
"description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
}
],
"description": "[Cerberus](https://attack.mitre.org/software/S0480) can update the malicious payload module on command.(Citation: Threat Fabric Cerberus)",
"relationship_type": "uses",
"id": "relationship--37123a8d-5c03-459c-bd0b-c17e2ee75a10",
"type": "relationship",
"modified": "2020-06-26T15:32:25.074Z",
"created": "2020-06-26T15:32:25.074Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"external_references": [
{
"source_name": "Forbes Cerberus",
"url": "https://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them-on-twitter/#1563fef26d9c",
"description": "Z. Doffman. (2019, August 16). Warning As Devious New Android Malware Hides In Fake Adobe Flash Player Installations (Updated). Retrieved June 26, 2020."
}
],
"description": "[Cerberus](https://attack.mitre.org/software/S0480) has been delivered to the device via websites that prompt the user to \u201c[\u2026] install Adobe Flash Player\u201d and then downloads the malicious APK to the device.(Citation: Forbes Cerberus)",
"relationship_type": "uses",
"id": "relationship--f101c454-affd-432b-b08b-a8dd7513684a",
"type": "relationship",
"modified": "2020-06-26T15:32:25.140Z",
"created": "2020-06-26T15:32:25.140Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"external_references": [
{
"source_name": "CheckPoint Cerberus",
"url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/",
"description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild \u2013 Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020."
}
],
"description": "[Cerberus](https://attack.mitre.org/software/S0480) communicates with the C2 server using HTTP.(Citation: CheckPoint Cerberus)",
"relationship_type": "uses",
"id": "relationship--85e0d8c5-b9d6-4a10-963a-aeb54eba4f02",
"type": "relationship",
"modified": "2020-06-26T15:32:25.144Z",
"created": "2020-06-26T15:32:25.144Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
"target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
"external_references": [
{
"source_name": "CheckPoint Cerberus",
"url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/",
"description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild \u2013 Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020."
}
],
"description": "[Cerberus](https://attack.mitre.org/software/S0480) communicates with the C2 over port 8888.(Citation: CheckPoint Cerberus)",
"relationship_type": "uses",
"id": "relationship--0c558826-5cea-422e-8e67-83e53c04d409",
"type": "relationship",
"modified": "2020-06-26T15:32:25.146Z",
"created": "2020-06-26T15:32:25.146Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"external_references": [
{
"source_name": "Forbes Cerberus",
"url": "https://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them-on-twitter/#1563fef26d9c",
"description": "Z. Doffman. (2019, August 16). Warning As Devious New Android Malware Hides In Fake Adobe Flash Player Installations (Updated). Retrieved June 26, 2020."
}
],
"description": "[Cerberus](https://attack.mitre.org/software/S0480) has pretended to be an Adobe Flash Player installer.(Citation: Forbes Cerberus)",
"relationship_type": "uses",
"id": "relationship--822a677b-6d7b-4aa2-9cc3-878029b2ba4c",
"type": "relationship",
"modified": "2020-06-26T15:32:25.158Z",
"created": "2020-06-26T15:32:25.158Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"external_references": [
{
"source_name": "ESET DEFENSOR ID",
"url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/",
"description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020."
}
],
"description": " [DEFENSOR ID](https://attack.mitre.org/software/S0479) has used Firebase Cloud Messaging for C2.(Citation: ESET DEFENSOR ID) ",
"relationship_type": "uses",
"id": "relationship--a95fe853-d1d1-47dc-a776-b905daacfe32",
"type": "relationship",
"modified": "2020-06-26T20:16:32.181Z",
"created": "2020-06-26T20:16:32.181Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) can access device configuration information and status, including Android version, battery level, device model, country, and SIM operator.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--eceeb39e-887c-4a9b-a93b-a6fd768e455a",
"type": "relationship",
"modified": "2020-07-15T20:20:59.186Z",
"created": "2020-07-15T20:20:59.186Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) can access the device\u2019s contact list.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--0bc73d69-e769-4d0f-9d44-368c94225b6e",
"type": "relationship",
"modified": "2020-07-15T20:20:59.200Z",
"created": "2020-07-15T20:20:59.200Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) can access SMS messages.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--fda8fe32-6121-4b81-9aa0-4e9596db88b1",
"type": "relationship",
"modified": "2020-09-11T15:52:12.652Z",
"created": "2020-07-15T20:20:59.227Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) can hide its icon on older Android versions.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--c574251b-93ad-4f55-8b84-2700dfab4622",
"type": "relationship",
"modified": "2020-07-15T20:20:59.280Z",
"created": "2020-07-15T20:20:59.280Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) can record the screen.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--74eb8469-1cce-40f8-8b6b-486338e8cfbe",
"type": "relationship",
"modified": "2020-07-15T20:20:59.282Z",
"created": "2020-07-15T20:20:59.282Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) can install attacker-specified components or applications.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--f0a0005e-cc38-4f7a-ba49-21a4c48ae1a1",
"type": "relationship",
"modified": "2020-07-15T20:20:59.284Z",
"created": "2020-07-15T20:20:59.284Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) can enable app installation from unknown sources and can disable Play Protect.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--8611661c-04b4-4a82-9669-2d0e26b7b3f3",
"type": "relationship",
"modified": "2020-07-15T20:20:59.287Z",
"created": "2020-07-15T20:20:59.287Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) can evade automated analysis environments by requiring a CAPTCHA on launch that will prevent the application from running if not passed. It also checks for indications that it is running in an emulator.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--1a2f6cdc-7c52-4f6e-9182-bc5b16a638dd",
"type": "relationship",
"modified": "2020-07-15T20:20:59.290Z",
"created": "2020-07-15T20:20:59.289Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) can collect the device\u2019s location.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--ba5fc090-d420-4006-9dc0-57b75260b5f6",
"type": "relationship",
"modified": "2020-07-15T20:20:59.296Z",
"created": "2020-07-15T20:20:59.296Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) can delete all data from an infected device.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--ece70dca-803c-4209-8792-7e56e9901288",
"type": "relationship",
"modified": "2020-07-15T20:20:59.291Z",
"created": "2020-07-15T20:20:59.291Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) obfuscates its hardcoded C2 URLs.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--8f2ff9c5-249d-4a9a-bdc6-0cef887eaefc",
"type": "relationship",
"modified": "2020-07-15T20:20:59.298Z",
"created": "2020-07-15T20:20:59.298Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) can manipulate visual components to trick the user into granting dangerous permissions, and can use phishing overlays and JavaScript injection to capture credentials.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--bb34aff0-9af9-463b-a1aa-7f5ec7b84630",
"type": "relationship",
"modified": "2020-07-15T20:20:59.300Z",
"created": "2020-07-15T20:20:59.300Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) has had the first stage (dropper) distributed via the Google Play Store.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--3f984e70-7826-4208-872f-48844fd0ab82",
"type": "relationship",
"modified": "2020-07-15T20:20:59.303Z",
"created": "2020-07-15T20:20:59.303Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) has communicated with the C2 server over TCP port 443.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--e4e207ff-dd64-45e2-b876-ef5c3012bff2",
"type": "relationship",
"modified": "2020-07-15T20:20:59.310Z",
"created": "2020-07-15T20:20:59.310Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) has used domain generation algorithms.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--ddb5ba6d-0549-44bd-a669-972bd48e927b",
"type": "relationship",
"modified": "2020-07-15T20:20:59.307Z",
"created": "2020-07-15T20:20:59.307Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) can obtain a list of installed applications.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--baa82c0a-b51c-4d4a-ae1d-6d6fd637f78d",
"type": "relationship",
"modified": "2020-07-15T20:20:59.294Z",
"created": "2020-07-15T20:20:59.294Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) abuses the accessibility service to prevent removing administrator permissions, accessibility permissions, and to set itself as the default SMS handler.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--af55d12a-5f58-4135-90d0-f465a66f7a3f",
"type": "relationship",
"modified": "2020-07-15T20:20:59.305Z",
"created": "2020-07-15T20:20:59.305Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) can capture all device notifications and hide notifications from the user.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--22708018-defd-4690-8b0f-fe47e11cb5d6",
"type": "relationship",
"modified": "2020-07-15T20:20:59.316Z",
"created": "2020-07-15T20:20:59.316Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) can mimic an app called \u201cStorage Settings\u201d if it cannot hide its icon.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--0e302702-222a-4239-bdc9-0f7500497983",
"type": "relationship",
"modified": "2020-07-15T20:20:59.312Z",
"created": "2020-07-15T20:20:59.312Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) can download its second (Loader) and third (Core) stages after the dropper is installed.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--cce82a76-5390-473d-9e7c-9450d1509d1d",
"type": "relationship",
"modified": "2020-07-15T20:20:59.314Z",
"created": "2020-07-15T20:20:59.314Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) uses foreground persistence to keep a service running. It shows the user a transparent notification to evade detection.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--24951cfe-d3ce-4802-86ff-028fc9cbbe53",
"type": "relationship",
"modified": "2020-07-15T20:20:59.318Z",
"created": "2020-07-15T20:20:59.318Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) has used Firebase for C2.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--a34f3873-3df7-4e93-915c-fc2b4af3444d",
"type": "relationship",
"modified": "2020-07-17T13:25:29.860Z",
"created": "2020-07-15T20:20:59.380Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) can abuse device administrator permissions to ensure that it cannot be uninstalled until its permissions are revoked.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--9fa03a70-ad00-4148-ae5e-8315f3e618d2",
"type": "relationship",
"modified": "2020-07-24T14:13:43.099Z",
"created": "2020-07-15T20:20:59.375Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) has communicated with the C2 server over TCP port 7777.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--657f1d8c-3982-4ee5-95dc-c8ec3164cb2e",
"type": "relationship",
"modified": "2020-07-15T20:20:59.382Z",
"created": "2020-07-15T20:20:59.382Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) can collect all accounts stored on the device.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--27b8153c-130e-44a7-84a9-840f4c23e2ea",
"type": "relationship",
"modified": "2020-07-15T20:20:59.377Z",
"created": "2020-07-15T20:20:59.377Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"external_references": [
{
"source_name": "Talos-WolfRAT",
"url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
"description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020."
}
],
"description": "[WolfRAT](https://attack.mitre.org/software/S0489) has masqueraded as \u201cGoogle service\u201d, \u201cGooglePlay\u201d, and \u201cFlash update\u201d.(Citation: Talos-WolfRAT)",
"relationship_type": "uses",
"id": "relationship--d9aac094-c5b6-437a-b457-0febe85f0db8",
"type": "relationship",
"modified": "2020-08-10T21:57:54.443Z",
"created": "2020-07-20T13:27:33.424Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"external_references": [
{
"source_name": "Talos-WolfRAT",
"url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
"description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020."
}
],
"description": "[WolfRAT](https://attack.mitre.org/software/S0489) can collect SMS messages.(Citation: Talos-WolfRAT)",
"relationship_type": "uses",
"id": "relationship--4e6b726d-9ef4-4eb6-b9a7-74059caee5b7",
"type": "relationship",
"modified": "2020-09-11T15:58:40.954Z",
"created": "2020-07-20T13:27:33.440Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
"target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"external_references": [
{
"source_name": "Talos-WolfRAT",
"url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
"description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020."
}
],
"description": "[WolfRAT](https://attack.mitre.org/software/S0489) can collect user account, photos, browser history, and arbitrary files.(Citation: Talos-WolfRAT)",
"relationship_type": "uses",
"id": "relationship--6ce36374-2ff6-4b41-8493-148416153232",
"type": "relationship",
"modified": "2020-08-10T21:57:54.526Z",
"created": "2020-07-20T13:27:33.443Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"external_references": [
{
"source_name": "Talos-WolfRAT",
"url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
"description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020."
}
],
"description": "[WolfRAT](https://attack.mitre.org/software/S0489) can obtain a list of installed applications.(Citation: Talos-WolfRAT)",
"relationship_type": "uses",
"id": "relationship--33316f49-f1fb-453a-9ba7-d6889982a010",
"type": "relationship",
"modified": "2020-08-10T21:57:54.516Z",
"created": "2020-07-20T13:27:33.459Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"external_references": [
{
"source_name": "Talos-WolfRAT",
"url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
"description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020."
}
],
"description": "[WolfRAT](https://attack.mitre.org/software/S0489) can record call audio.(Citation: Talos-WolfRAT)",
"relationship_type": "uses",
"id": "relationship--33857221-2543-4a7f-8255-b0d140d70ad7",
"type": "relationship",
"modified": "2020-08-10T21:57:54.686Z",
"created": "2020-07-20T13:27:33.461Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
"target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
"external_references": [
{
"source_name": "Talos-WolfRAT",
"url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
"description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020."
}
],
"description": "[WolfRAT](https://attack.mitre.org/software/S0489) can take photos and videos.(Citation: Talos-WolfRAT)",
"relationship_type": "uses",
"id": "relationship--3abc80ad-4ea0-4e91-a170-f040469c2083",
"type": "relationship",
"modified": "2020-08-10T21:57:54.688Z",
"created": "2020-07-20T13:27:33.483Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"external_references": [
{
"source_name": "Talos-WolfRAT",
"url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
"description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020."
}
],
"description": "[WolfRAT](https://attack.mitre.org/software/S0489) can collect the device\u2019s contact list.(Citation: Talos-WolfRAT)",
"relationship_type": "uses",
"id": "relationship--6920d0d0-27f4-4d29-8622-c8a92090eec3",
"type": "relationship",
"modified": "2020-08-10T21:57:54.535Z",
"created": "2020-07-20T13:27:33.486Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"external_references": [
{
"source_name": "Talos-WolfRAT",
"url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
"description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020."
}
],
"description": "[WolfRAT](https://attack.mitre.org/software/S0489)\u2019s code is obfuscated.(Citation: Talos-WolfRAT)",
"relationship_type": "uses",
"id": "relationship--91de92af-fe1d-469e-8c36-1a9f4b621a27",
"type": "relationship",
"modified": "2020-08-10T21:57:54.704Z",
"created": "2020-07-20T13:27:33.488Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"external_references": [
{
"source_name": "Talos-WolfRAT",
"url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
"description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020."
}
],
"description": "[WolfRAT](https://attack.mitre.org/software/S0489) can collect the device\u2019s call log.(Citation: Talos-WolfRAT)",
"relationship_type": "uses",
"id": "relationship--21e179f2-49c9-4ec9-ac7a-b8eae8e15bd9",
"type": "relationship",
"modified": "2020-08-10T21:57:54.530Z",
"created": "2020-07-20T13:27:33.509Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
"target_ref": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
"external_references": [
{
"source_name": "Talos-WolfRAT",
"url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
"description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020."
}
],
"description": "[WolfRAT](https://attack.mitre.org/software/S0489) can delete files from the device.(Citation: Talos-WolfRAT)",
"relationship_type": "uses",
"id": "relationship--2c5b36b4-5381-4d9e-9ce5-cd7cd19041b1",
"type": "relationship",
"modified": "2020-08-10T21:57:54.517Z",
"created": "2020-07-20T13:27:33.514Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"external_references": [
{
"source_name": "Talos-WolfRAT",
"url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
"description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020."
}
],
"description": "[WolfRAT](https://attack.mitre.org/software/S0489) can update the running malware.(Citation: Talos-WolfRAT)",
"relationship_type": "uses",
"id": "relationship--cde60121-3d7c-47c8-abeb-582854425599",
"type": "relationship",
"modified": "2020-08-10T21:57:54.531Z",
"created": "2020-07-20T13:27:33.512Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
"target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
"external_references": [
{
"source_name": "Talos-WolfRAT",
"url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
"description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020."
}
],
"description": "[WolfRAT](https://attack.mitre.org/software/S0489) can receive system notifications.(Citation: Talos-WolfRAT)",
"relationship_type": "uses",
"id": "relationship--e78b2cd9-ef73-45d9-9477-e2e95454e208",
"type": "relationship",
"modified": "2020-08-10T21:57:54.537Z",
"created": "2020-07-20T13:27:33.546Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
"target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
"external_references": [
{
"source_name": "Talos-WolfRAT",
"url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
"description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020."
}
],
"description": "[WolfRAT](https://attack.mitre.org/software/S0489) uses `dumpsys` to determine if certain applications are running.(Citation: Talos-WolfRAT)",
"relationship_type": "uses",
"id": "relationship--a1814198-1f91-41d4-a413-d55e1a66c8e9",
"type": "relationship",
"modified": "2020-08-10T22:00:43.490Z",
"created": "2020-07-20T13:27:33.548Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"external_references": [
{
"source_name": "Talos-WolfRAT",
"url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
"description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020."
}
],
"description": "[WolfRAT](https://attack.mitre.org/software/S0489) sends the device\u2019s IMEI with each exfiltration request.(Citation: Talos-WolfRAT)",
"relationship_type": "uses",
"id": "relationship--20376a7f-897a-4f5d-a87a-93e64200a5a6",
"type": "relationship",
"modified": "2020-08-10T21:57:54.518Z",
"created": "2020-07-20T13:27:33.553Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
"target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
"external_references": [
{
"source_name": "Talos-WolfRAT",
"url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
"description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020."
}
],
"description": "[WolfRAT](https://attack.mitre.org/software/S0489) can record the screen and take screenshots to capture messages from Line, Facebook Messenger, and WhatsApp.(Citation: Talos-WolfRAT)",
"relationship_type": "uses",
"id": "relationship--430b2b14-9d63-401c-b76b-d0247ee7e27b",
"type": "relationship",
"modified": "2020-08-10T21:57:54.524Z",
"created": "2020-07-20T13:27:33.549Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
"target_ref": "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b",
"external_references": [
{
"source_name": "Talos-WolfRAT",
"url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
"description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020."
}
],
"description": "[WolfRAT](https://attack.mitre.org/software/S0489) can perform primitive emulation checks.(Citation: Talos-WolfRAT)",
"relationship_type": "uses",
"id": "relationship--8ff45341-60d6-40d3-bb38-566814a466f9",
"type": "relationship",
"modified": "2020-08-10T21:57:54.491Z",
"created": "2020-07-20T13:27:33.552Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"external_references": [
{
"source_name": "TrendMicro-XLoader-FakeSpy",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/",
"description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020."
}
],
"description": "[XLoader for Android](https://attack.mitre.org/software/S0318) has masqueraded as an Android security application.(Citation: TrendMicro-XLoader-FakeSpy)",
"relationship_type": "uses",
"id": "relationship--4bac7e76-7a1f-4091-9e38-ab5af842d73a",
"type": "relationship",
"modified": "2020-09-24T15:12:24.216Z",
"created": "2020-07-20T13:49:03.633Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"external_references": [
{
"source_name": "TrendMicro-XLoader-FakeSpy",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/",
"description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020."
}
],
"description": "[XLoader for Android](https://attack.mitre.org/software/S0318) has been distributed via phishing websites.(Citation: TrendMicro-XLoader-FakeSpy)",
"relationship_type": "uses",
"id": "relationship--9d087e80-c58e-45ed-bc5d-bc99e3e3e42e",
"type": "relationship",
"modified": "2020-10-05T16:40:45.881Z",
"created": "2020-07-20T13:49:03.672Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
"target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380",
"external_references": [
{
"source_name": "TrendMicro-XLoader-FakeSpy",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/",
"description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020."
}
],
"description": "[XLoader for Android](https://attack.mitre.org/software/S0318) has fetched its C2 address from encoded Twitter names, as well as Instagram and Tumblr.(Citation: TrendMicro-XLoader-FakeSpy)",
"relationship_type": "uses",
"id": "relationship--aa628e44-ff05-4ac9-bb0b-11c22384a443",
"type": "relationship",
"modified": "2020-09-24T15:12:24.217Z",
"created": "2020-07-20T13:49:03.676Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"external_references": [
{
"source_name": "TrendMicro-XLoader-FakeSpy",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/",
"description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020."
}
],
"description": "[XLoader for Android](https://attack.mitre.org/software/S0318) collects the device\u2019s Android ID and serial number.(Citation: TrendMicro-XLoader-FakeSpy)",
"relationship_type": "uses",
"id": "relationship--020f79c6-d5f8-49eb-beee-e716e1fa4e80",
"type": "relationship",
"modified": "2020-09-24T15:12:24.191Z",
"created": "2020-07-20T13:49:03.692Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"external_references": [
{
"source_name": "TrendMicro-XLoader-FakeSpy",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/",
"description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020."
}
],
"description": "[XLoader for Android](https://attack.mitre.org/software/S0318) collects the device\u2019s IMSI and ICCID.(Citation: TrendMicro-XLoader-FakeSpy)",
"relationship_type": "uses",
"id": "relationship--f7039142-dbdc-4ffc-a54f-136ad57a6ac1",
"type": "relationship",
"modified": "2020-09-24T15:12:24.242Z",
"created": "2020-07-20T13:49:03.693Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f",
"target_ref": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2",
"external_references": [
{
"source_name": "TrendMicro-XLoader-FakeSpy",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/",
"description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020."
}
],
"description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) has been installed via a malicious configuration profile.(Citation: TrendMicro-XLoader-FakeSpy)",
"relationship_type": "uses",
"id": "relationship--b110d919-acd4-4fe0-a46a-ac4819508667",
"type": "relationship",
"modified": "2020-09-24T15:12:24.292Z",
"created": "2020-07-20T13:58:53.589Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"external_references": [
{
"source_name": "TrendMicro-XLoader-FakeSpy",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/",
"description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020."
}
],
"description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) can obtain the device\u2019s IMEM, ICCID, and MEID.(Citation: TrendMicro-XLoader-FakeSpy)",
"relationship_type": "uses",
"id": "relationship--3f81a680-3151-4608-b83f-550756632013",
"type": "relationship",
"modified": "2020-09-24T15:12:24.301Z",
"created": "2020-07-20T13:58:53.604Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"external_references": [
{
"source_name": "TrendMicro-XLoader-FakeSpy",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/",
"description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020."
}
],
"description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) can obtain the device\u2019s UDID, version number, and product number.(Citation: TrendMicro-XLoader-FakeSpy)",
"relationship_type": "uses",
"id": "relationship--3f392718-87c4-483b-b89f-4f0cc056d251",
"type": "relationship",
"modified": "2020-09-24T15:12:24.302Z",
"created": "2020-07-20T13:58:53.610Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"external_references": [
{
"source_name": "Check Point-Joker",
"url": "https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/",
"description": "Hazum, A., Melnykov, B., Wernik, I.. (2020, July 9). New Joker variant hits Google Play with an old trick. Retrieved July 20, 2020."
}
],
"description": "[Bread](https://attack.mitre.org/software/S0432) can install additional applications.(Citation: Check Point-Joker)",
"relationship_type": "uses",
"id": "relationship--283f4e8e-07dc-4d22-84f9-536f9024307a",
"type": "relationship",
"modified": "2020-07-20T14:12:15.547Z",
"created": "2020-07-20T14:12:15.547Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326",
"target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
"external_references": [
{
"source_name": "Check Point-Joker",
"url": "https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/",
"description": "Hazum, A., Melnykov, B., Wernik, I.. (2020, July 9). New Joker variant hits Google Play with an old trick. Retrieved July 20, 2020."
}
],
"description": "[Bread](https://attack.mitre.org/software/S0432) can collect device notifications.(Citation: Check Point-Joker)",
"relationship_type": "uses",
"id": "relationship--1c7d2d48-ea9a-448f-891f-66f635c95f73",
"type": "relationship",
"modified": "2020-07-20T14:12:15.566Z",
"created": "2020-07-20T14:12:15.566Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"external_references": [
{
"source_name": "Google Security Zen",
"url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html",
"description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020."
}
],
"description": "[Zen](https://attack.mitre.org/software/S0494) can obtain root access via a rooting trojan in its infection chain.(Citation: Google Security Zen)",
"relationship_type": "uses",
"id": "relationship--27c8d474-f3f8-4a0e-a317-7e57b9de620c",
"type": "relationship",
"modified": "2020-08-10T22:18:20.777Z",
"created": "2020-07-27T14:14:56.954Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40",
"target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
"external_references": [
{
"source_name": "Google Security Zen",
"url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html",
"description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020."
}
],
"description": "[Zen](https://attack.mitre.org/software/S0494) can simulate user clicks on ads and system prompts to create new Google accounts.(Citation: Google Security Zen)",
"relationship_type": "uses",
"id": "relationship--afe9e326-01f7-4296-a11b-09cfffd80120",
"type": "relationship",
"modified": "2020-08-10T22:18:20.747Z",
"created": "2020-07-27T14:14:56.962Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"external_references": [
{
"source_name": "Google Security Zen",
"url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html",
"description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020."
}
],
"description": "[Zen](https://attack.mitre.org/software/S0494) can dynamically load executable code from remote sources.(Citation: Google Security Zen)",
"relationship_type": "uses",
"id": "relationship--634071ce-d386-4143-8e6e-b88bc077de6d",
"type": "relationship",
"modified": "2020-08-10T22:18:20.782Z",
"created": "2020-07-27T14:14:56.961Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"external_references": [
{
"source_name": "Google Security Zen",
"url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html",
"description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020."
}
],
"description": "[Zen](https://attack.mitre.org/software/S0494) base64 encodes one of the strings it searches for.(Citation: Google Security Zen)",
"relationship_type": "uses",
"id": "relationship--97417113-1840-4e00-98d3-bb222e1a1f60",
"type": "relationship",
"modified": "2020-08-10T22:18:20.815Z",
"created": "2020-07-27T14:14:56.980Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"external_references": [
{
"source_name": "Google Security Zen",
"url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html",
"description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020."
}
],
"description": "[Zen](https://attack.mitre.org/software/S0494) has been distributed via the Google Play Store.(Citation: Google Security Zen)",
"relationship_type": "uses",
"id": "relationship--6a0ce31a-72bb-4634-8d24-daa5880a99b0",
"type": "relationship",
"modified": "2020-08-10T22:18:20.816Z",
"created": "2020-07-27T14:14:56.989Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40",
"target_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
"external_references": [
{
"source_name": "Google Security Zen",
"url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html",
"description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020."
}
],
"description": "[Zen](https://attack.mitre.org/software/S0494) can simulate user clicks on ads.(Citation: Google Security Zen)",
"relationship_type": "uses",
"id": "relationship--ce51f1b3-7813-4517-bbcf-7ae8abf6d2ef",
"type": "relationship",
"modified": "2020-08-10T22:18:20.819Z",
"created": "2020-07-27T14:14:56.993Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"external_references": [
{
"source_name": "Google Security Zen",
"url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html",
"description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020."
}
],
"description": "[Zen](https://attack.mitre.org/software/S0494) can install itself on the system partition to achieve persistence. [Zen](https://attack.mitre.org/software/S0494) can also replace `framework.jar`, which allows it to intercept and modify the behavior of the standard Android API.(Citation: Google Security Zen)",
"relationship_type": "uses",
"id": "relationship--1348c744-3127-4a55-a5b4-2f439f41e941",
"type": "relationship",
"modified": "2020-08-10T22:18:20.814Z",
"created": "2020-07-27T14:14:56.994Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40",
"target_ref": "attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa",
"external_references": [
{
"source_name": "Google Security Zen",
"url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html",
"description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020."
}
],
"description": "[Zen](https://attack.mitre.org/software/S0494) can inject code into the Setup Wizard at runtime to extract CAPTCHA images. [Zen](https://attack.mitre.org/software/S0494) can inject code into the `libc` of running processes to infect them with the malware.(Citation: Google Security Zen)",
"relationship_type": "uses",
"id": "relationship--5c746ac8-4034-4ae3-98c3-66d89f5a6d6a",
"type": "relationship",
"modified": "2020-08-10T22:18:20.812Z",
"created": "2020-07-27T14:14:56.996Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40",
"target_ref": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2",
"external_references": [
{
"source_name": "Google Security Zen",
"url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html",
"description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020."
}
],
"description": "[Zen](https://attack.mitre.org/software/S0494) can modify the SELinux enforcement mode.(Citation: Google Security Zen)",
"relationship_type": "uses",
"id": "relationship--a63bafb6-6647-410f-8673-a53ef2dee5e2",
"type": "relationship",
"modified": "2020-08-10T22:18:20.776Z",
"created": "2020-07-27T14:14:57.020Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
"relationship_type": "mitigates",
"description": "Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups.",
"id": "relationship--c8b04178-2aa8-44c0-8bf6-787caa3f64e7",
"type": "relationship",
"modified": "2020-10-01T12:52:58.649Z",
"created": "2020-09-11T14:08:08.666Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
"relationship_type": "mitigates",
"description": "Application vetting services could be extra scrutinous of applications that request device administrator permissions.",
"id": "relationship--6e135f1d-e947-4079-8363-9a1344c57560",
"type": "relationship",
"modified": "2020-10-01T12:52:58.604Z",
"created": "2020-09-11T14:08:08.686Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"external_references": [
{
"source_name": "Lookout Desert Scorpion",
"url": "https://blog.lookout.com/desert-scorpion-google-play",
"description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
}
],
"description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) has been distributed via the Google Play Store.(Citation: Lookout Desert Scorpion)",
"relationship_type": "uses",
"id": "relationship--8a9ab14a-c666-47ef-a92e-57872a5a82ae",
"type": "relationship",
"modified": "2020-09-11T14:54:16.521Z",
"created": "2020-09-11T14:54:16.521Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
"target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
"external_references": [
{
"source_name": "Lookout Desert Scorpion",
"url": "https://blog.lookout.com/desert-scorpion-google-play",
"description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
}
],
"description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can upload attacker-specified files to the C2 server.(Citation: Lookout Desert Scorpion)",
"relationship_type": "uses",
"id": "relationship--1fe811ec-9ca8-4956-9a94-02748f03ad8a",
"type": "relationship",
"modified": "2020-09-11T14:54:16.546Z",
"created": "2020-09-11T14:54:16.546Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"external_references": [
{
"source_name": "Lookout Desert Scorpion",
"url": "https://blog.lookout.com/desert-scorpion-google-play",
"description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
}
],
"description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can obtain a list of installed applications.(Citation: Lookout Desert Scorpion)",
"relationship_type": "uses",
"id": "relationship--1b7be26d-cb1d-497b-94bf-a34f11ed66c9",
"type": "relationship",
"modified": "2020-09-11T14:54:16.548Z",
"created": "2020-09-11T14:54:16.548Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"external_references": [
{
"source_name": "Lookout Desert Scorpion",
"url": "https://blog.lookout.com/desert-scorpion-google-play",
"description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
}
],
"description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect device metadata and can check if the device is rooted.(Citation: Lookout Desert Scorpion)",
"relationship_type": "uses",
"id": "relationship--6de29595-e63e-4d7e-992f-b4622b7b8e23",
"type": "relationship",
"modified": "2020-09-11T14:54:16.566Z",
"created": "2020-09-11T14:54:16.566Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"external_references": [
{
"source_name": "Lookout Desert Scorpion",
"url": "https://blog.lookout.com/desert-scorpion-google-play",
"description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
}
],
"description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can track the device\u2019s location.(Citation: Lookout Desert Scorpion)",
"relationship_type": "uses",
"id": "relationship--98b14660-79e1-4244-99c2-3dedd84eb68d",
"type": "relationship",
"modified": "2020-09-11T14:54:16.582Z",
"created": "2020-09-11T14:54:16.582Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
"target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"external_references": [
{
"source_name": "Lookout Desert Scorpion",
"url": "https://blog.lookout.com/desert-scorpion-google-play",
"description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
}
],
"description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect files located in external storage.(Citation: Lookout Desert Scorpion)",
"relationship_type": "uses",
"id": "relationship--6f27a13d-b353-47f3-8a71-a13e8c4c3d60",
"type": "relationship",
"modified": "2020-09-11T14:54:16.585Z",
"created": "2020-09-11T14:54:16.585Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"external_references": [
{
"source_name": "Lookout Desert Scorpion",
"url": "https://blog.lookout.com/desert-scorpion-google-play",
"description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
}
],
"description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can retrieve SMS messages.(Citation: Lookout Desert Scorpion)",
"relationship_type": "uses",
"id": "relationship--38f96449-dfb1-49db-b0d0-f257c3ee2c5d",
"type": "relationship",
"modified": "2020-09-11T14:54:16.587Z",
"created": "2020-09-11T14:54:16.587Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
"target_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"external_references": [
{
"source_name": "Lookout Desert Scorpion",
"url": "https://blog.lookout.com/desert-scorpion-google-play",
"description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
}
],
"description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can be controlled using SMS messages.(Citation: Lookout Desert Scorpion)",
"relationship_type": "uses",
"id": "relationship--05243ccb-0aeb-4db4-bb03-51a65fb715ab",
"type": "relationship",
"modified": "2020-09-11T14:54:16.589Z",
"created": "2020-09-11T14:54:16.589Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
"target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
"external_references": [
{
"source_name": "Lookout Desert Scorpion",
"url": "https://blog.lookout.com/desert-scorpion-google-play",
"description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
}
],
"description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can record videos.(Citation: Lookout Desert Scorpion)",
"relationship_type": "uses",
"id": "relationship--8a961514-3372-4c3e-b7ee-e3d053c3d5f3",
"type": "relationship",
"modified": "2020-09-11T14:54:16.615Z",
"created": "2020-09-11T14:54:16.615Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"external_references": [
{
"source_name": "Lookout Desert Scorpion",
"url": "https://blog.lookout.com/desert-scorpion-google-play",
"description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
}
],
"description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect account information stored on the device.(Citation: Lookout Desert Scorpion)",
"relationship_type": "uses",
"id": "relationship--972f0703-f4d7-42d2-8ca2-bec175dac0bf",
"type": "relationship",
"modified": "2020-09-11T14:54:16.617Z",
"created": "2020-09-11T14:54:16.617Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"external_references": [
{
"source_name": "Lookout Desert Scorpion",
"url": "https://blog.lookout.com/desert-scorpion-google-play",
"description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
}
],
"description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can record audio from phone calls and the device microphone.(Citation: Lookout Desert Scorpion)",
"relationship_type": "uses",
"id": "relationship--670a0995-a789-4674-9e91-c74316cdef90",
"type": "relationship",
"modified": "2020-09-11T14:54:16.621Z",
"created": "2020-09-11T14:54:16.621Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
"target_ref": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
"external_references": [
{
"source_name": "Lookout Desert Scorpion",
"url": "https://blog.lookout.com/desert-scorpion-google-play",
"description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
}
],
"description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can delete copies of itself if additional APKs are downloaded to external storage.(Citation: Lookout Desert Scorpion)",
"relationship_type": "uses",
"id": "relationship--8c9dbc53-27d2-420c-b698-98c23a7ead2b",
"type": "relationship",
"modified": "2020-09-11T14:54:16.638Z",
"created": "2020-09-11T14:54:16.638Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
"target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
"external_references": [
{
"source_name": "Lookout Desert Scorpion",
"url": "https://blog.lookout.com/desert-scorpion-google-play",
"description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
}
],
"description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can encrypt exfiltrated data.(Citation: Lookout Desert Scorpion)",
"relationship_type": "uses",
"id": "relationship--027a36dc-cd9e-4282-b101-b9a0abbb312f",
"type": "relationship",
"modified": "2020-09-11T14:54:16.640Z",
"created": "2020-09-11T14:54:16.640Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
"target_ref": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2",
"external_references": [
{
"source_name": "Lookout Desert Scorpion",
"url": "https://blog.lookout.com/desert-scorpion-google-play",
"description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
}
],
"description": "If running on a Huawei device, [Desert Scorpion](https://attack.mitre.org/software/S0505) adds itself to the protected apps list, which allows it to run with the screen off.(Citation: Lookout Desert Scorpion)",
"relationship_type": "uses",
"id": "relationship--99b4be95-74f2-48f7-b4e9-8b4d88ecd31f",
"type": "relationship",
"modified": "2020-09-11T14:54:16.642Z",
"created": "2020-09-11T14:54:16.642Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
"target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
"external_references": [
{
"source_name": "Lookout Desert Scorpion",
"url": "https://blog.lookout.com/desert-scorpion-google-play",
"description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
}
],
"description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can list files stored on external storage.(Citation: Lookout Desert Scorpion)",
"relationship_type": "uses",
"id": "relationship--2c9ad579-0c29-4f2a-80f3-242dc6b0bafd",
"type": "relationship",
"modified": "2020-09-11T14:54:16.644Z",
"created": "2020-09-11T14:54:16.644Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
"target_ref": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2",
"external_references": [
{
"source_name": "Lookout Desert Scorpion",
"url": "https://blog.lookout.com/desert-scorpion-google-play",
"description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
}
],
"description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can hide its icon.(Citation: Lookout Desert Scorpion)",
"relationship_type": "uses",
"id": "relationship--bd6829ee-dc51-477b-9739-1cd1cd304b6c",
"type": "relationship",
"modified": "2020-09-11T14:54:16.646Z",
"created": "2020-09-11T14:54:16.646Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"external_references": [
{
"source_name": "Lookout Desert Scorpion",
"url": "https://blog.lookout.com/desert-scorpion-google-play",
"description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
}
],
"description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect the device\u2019s contact list.(Citation: Lookout Desert Scorpion)",
"relationship_type": "uses",
"id": "relationship--8b2c2716-a62b-4c3a-a211-d72bb5ed29b9",
"type": "relationship",
"modified": "2020-09-11T14:54:16.649Z",
"created": "2020-09-11T14:54:16.649Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"external_references": [
{
"source_name": "Lookout Desert Scorpion",
"url": "https://blog.lookout.com/desert-scorpion-google-play",
"description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
}
],
"description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) has been distributed in multiple stages.(Citation: Lookout Desert Scorpion)",
"relationship_type": "uses",
"id": "relationship--0b5bfa77-51b4-41b4-ae03-88b585d143c1",
"type": "relationship",
"modified": "2020-09-11T14:54:16.650Z",
"created": "2020-09-11T14:54:16.650Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31",
"relationship_type": "mitigates",
"description": "Application vetting services can detect unnecessary and potentially abused location permissions or API calls.",
"id": "relationship--dd4dc3ef-6076-4232-8cf4-f0efe9c0b2f3",
"type": "relationship",
"modified": "2020-10-01T12:43:42.220Z",
"created": "2020-09-11T15:04:14.823Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31",
"relationship_type": "mitigates",
"description": "Users should be advised to be extra scrutinous of applications that request location permissions, and to deny any permissions requests for applications they do not recognize.",
"id": "relationship--95e1941a-23a1-4c04-be62-726b1097bb3b",
"type": "relationship",
"modified": "2020-10-01T12:43:42.234Z",
"created": "2020-09-11T15:04:14.837Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
"relationship_type": "mitigates",
"description": "Users should be encouraged to be very careful with what applications they grant SMS access to. Further, users should not change their default SMS handler to applications they do not recognize.(Citation: SMS KitKat)",
"id": "relationship--a67c5611-00bc-4e1a-a1be-2512a2bcf072",
"external_references": [
{
"source_name": "SMS KitKat",
"url": "https://android-developers.googleblog.com/2013/10/getting-your-sms-apps-ready-for-kitkat.html",
"description": "S.Main, D. Braun. (2013, October 14). Getting Your SMS Apps Ready for KitKat. Retrieved September 11, 2020."
}
],
"type": "relationship",
"modified": "2020-10-22T17:04:15.708Z",
"created": "2020-09-11T15:14:34.064Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
"relationship_type": "mitigates",
"description": "Application vetting services could provide further scrutiny to applications that request SMS-based permissions.",
"id": "relationship--cdc1b090-1ca8-4fb3-a149-ca8c4e070250",
"type": "relationship",
"modified": "2020-10-22T17:04:15.734Z",
"created": "2020-09-11T15:14:34.071Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1",
"target_ref": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58",
"relationship_type": "mitigates",
"description": "Developers should use Android App Links(Citation: Android App Links) and iOS Universal Links(Citation: iOS Universal Links) to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE(Citation: IETF-PKCE) should be used to prevent use of stolen authorization codes.",
"id": "relationship--9d7f01ed-f9aa-4545-8ce3-4654d8e86f48",
"external_references": [
{
"source_name": "Android App Links",
"url": "https://developer.android.com/training/app-links/verify-site-associations",
"description": "Google. (n.d.). Verify Android App Links. Retrieved September 11, 2020."
},
{
"source_name": "iOS Universal Links",
"url": "https://developer.apple.com/ios/universal-links/",
"description": "Apple. (n.d.). Universal Links for Developers. Retrieved September 11, 2020."
},
{
"source_name": "IETF-PKCE",
"description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.",
"url": "https://tools.ietf.org/html/rfc7636"
}
],
"type": "relationship",
"modified": "2020-10-01T12:42:21.954Z",
"created": "2020-09-11T15:39:28.206Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
"target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
"external_references": [
{
"source_name": "Threat Fabric Cerberus",
"url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
"description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
}
],
"description": "[Cerberus](https://attack.mitre.org/software/S0480) can send SMS messages from a device.(Citation: Threat Fabric Cerberus)",
"relationship_type": "uses",
"id": "relationship--78fc4506-5c80-4638-8f51-44a2e28f7aaf",
"type": "relationship",
"modified": "2020-09-11T15:43:49.309Z",
"created": "2020-09-11T15:43:49.309Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
"target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
"external_references": [
{
"source_name": "TrendMicro Coronavirus Updates",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
"description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
}
],
"description": "[Corona Updates](https://attack.mitre.org/software/S0425) can send SMS messages.(Citation: TrendMicro Coronavirus Updates)",
"relationship_type": "uses",
"id": "relationship--0a610208-06af-425f-a9af-cd0899261e33",
"type": "relationship",
"modified": "2020-09-11T15:45:38.450Z",
"created": "2020-09-11T15:45:38.450Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
"target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
"external_references": [
{
"description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.",
"url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html",
"source_name": "ThreatFabric Ginp"
}
],
"description": "[Ginp](https://attack.mitre.org/software/S0423) can send SMS messages.(Citation: ThreatFabric Ginp)",
"relationship_type": "uses",
"id": "relationship--eb1eeb37-37a8-47b6-aff8-9703735a4d93",
"type": "relationship",
"modified": "2020-09-11T15:50:18.937Z",
"created": "2020-09-11T15:50:18.937Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
"external_references": [
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"description": "[Mandrake](https://attack.mitre.org/software/S0485) can block, forward, hide, and send SMS messages.(Citation: Bitdefender Mandrake)",
"relationship_type": "uses",
"id": "relationship--734fa2bf-17af-4e54-8d83-4cf9759e4ba9",
"type": "relationship",
"modified": "2020-09-11T15:52:12.520Z",
"created": "2020-09-11T15:52:12.520Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
"target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
"external_references": [
{
"source_name": "securelist rotexy 2018",
"url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
"description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019."
}
],
"description": "[Rotexy](https://attack.mitre.org/software/S0411) can automatically reply to SMS messages, and optionally delete them.(Citation: securelist rotexy 2018)",
"relationship_type": "uses",
"id": "relationship--d09abcd8-49bf-4d0f-8b17-0db7ada10ec2",
"type": "relationship",
"modified": "2020-09-11T15:53:38.453Z",
"created": "2020-09-11T15:53:38.453Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
"external_references": [
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"source_name": "Lookout-StealthMango"
}
],
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) deletes incoming SMS messages from specified numbers, including those that contain particular strings.(Citation: Lookout-StealthMango)",
"relationship_type": "uses",
"id": "relationship--52ad5145-3b04-4cc8-bed8-4a14501afe25",
"type": "relationship",
"modified": "2020-09-11T15:55:43.774Z",
"created": "2020-09-11T15:55:43.774Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
"target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
"external_references": [
{
"source_name": "SecurityIntelligence TrickMo",
"url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
"description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
}
],
"description": "[TrickMo](https://attack.mitre.org/software/S0427) can delete SMS messages.(Citation: SecurityIntelligence TrickMo)",
"relationship_type": "uses",
"id": "relationship--c4e73a6c-d523-4f3c-bcb6-200f63867fb4",
"type": "relationship",
"modified": "2020-09-11T15:57:37.770Z",
"created": "2020-09-11T15:57:37.770Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
"target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
"external_references": [
{
"source_name": "Talos-WolfRAT",
"url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
"description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020."
}
],
"description": "[WolfRAT](https://attack.mitre.org/software/S0489) can delete and send SMS messages.(Citation: Talos-WolfRAT)",
"relationship_type": "uses",
"id": "relationship--66ba3094-7c14-41b9-b7c1-814d026156b9",
"type": "relationship",
"modified": "2020-09-11T15:58:40.846Z",
"created": "2020-09-11T15:58:40.846Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
"target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"external_references": [
{
"source_name": "Lookout ViperRAT",
"url": "https://blog.lookout.com/viperrat-mobile-apt",
"description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."
}
],
"description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect device photos, PDF documents, Office documents, browser history, and browser bookmarks.(Citation: Lookout ViperRAT)",
"relationship_type": "uses",
"id": "relationship--c86918a3-6e41-4dfb-8b18-650fff596801",
"type": "relationship",
"modified": "2020-09-11T16:22:03.207Z",
"created": "2020-09-11T16:22:03.207Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"external_references": [
{
"source_name": "Lookout ViperRAT",
"url": "https://blog.lookout.com/viperrat-mobile-apt",
"description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."
}
],
"description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect and record audio content.(Citation: Lookout ViperRAT)",
"relationship_type": "uses",
"id": "relationship--d8ca4ea5-5242-4f0f-b3b7-008673f561ab",
"type": "relationship",
"modified": "2020-09-11T16:22:03.229Z",
"created": "2020-09-11T16:22:03.229Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
"target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
"external_references": [
{
"source_name": "Lookout ViperRAT",
"url": "https://blog.lookout.com/viperrat-mobile-apt",
"description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."
}
],
"description": "[ViperRAT](https://attack.mitre.org/software/S0506) can take photos with the device camera.(Citation: Lookout ViperRAT)",
"relationship_type": "uses",
"id": "relationship--51b0a4fb-a308-4694-9437-95702a50ebd5",
"type": "relationship",
"modified": "2020-09-11T16:22:03.231Z",
"created": "2020-09-11T16:22:03.231Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"external_references": [
{
"source_name": "Lookout ViperRAT",
"url": "https://blog.lookout.com/viperrat-mobile-apt",
"description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."
}
],
"description": "[ViperRAT](https://attack.mitre.org/software/S0506) has been installed in two stages and can secretly install new applications.(Citation: Lookout ViperRAT)",
"relationship_type": "uses",
"id": "relationship--078653a6-3613-4923-ae5a-1bccb8552e67",
"type": "relationship",
"modified": "2020-09-11T16:22:03.250Z",
"created": "2020-09-11T16:22:03.250Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"external_references": [
{
"source_name": "Lookout ViperRAT",
"url": "https://blog.lookout.com/viperrat-mobile-apt",
"description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."
}
],
"description": "[ViperRAT](https://attack.mitre.org/software/S0506) has been distributed through 3rd party websites.(Citation: Lookout ViperRAT)",
"relationship_type": "uses",
"id": "relationship--336f139f-b771-48d4-a3d6-7ef94289d56e",
"type": "relationship",
"modified": "2020-09-11T16:22:03.251Z",
"created": "2020-09-11T16:22:03.251Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"external_references": [
{
"source_name": "Lookout ViperRAT",
"url": "https://blog.lookout.com/viperrat-mobile-apt",
"description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."
}
],
"description": "[ViperRAT](https://attack.mitre.org/software/S0506)\u2019s second stage has masqueraded as \u201cSystem Updates\u201d, \u201cViber Update\u201d, and \u201cWhatsApp Update\u201d.(Citation: Lookout ViperRAT)",
"relationship_type": "uses",
"id": "relationship--018c744e-8d14-4b75-8c58-f661857dcb85",
"type": "relationship",
"modified": "2020-09-11T16:22:03.253Z",
"created": "2020-09-11T16:22:03.253Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"external_references": [
{
"source_name": "Lookout ViperRAT",
"url": "https://blog.lookout.com/viperrat-mobile-apt",
"description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."
}
],
"description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect SMS messages.(Citation: Lookout ViperRAT)",
"relationship_type": "uses",
"id": "relationship--faff9f9c-9064-4b3a-bdf9-bbeced2447a6",
"type": "relationship",
"modified": "2020-09-11T16:22:03.266Z",
"created": "2020-09-11T16:22:03.266Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"external_references": [
{
"source_name": "Lookout ViperRAT",
"url": "https://blog.lookout.com/viperrat-mobile-apt",
"description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."
}
],
"description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect the device\u2019s call log.(Citation: Lookout ViperRAT)",
"relationship_type": "uses",
"id": "relationship--ce645a25-160f-443d-b288-fdd108b78a06",
"type": "relationship",
"modified": "2020-09-11T16:22:03.269Z",
"created": "2020-09-11T16:22:03.269Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"external_references": [
{
"source_name": "Lookout ViperRAT",
"url": "https://blog.lookout.com/viperrat-mobile-apt",
"description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."
}
],
"description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect the device\u2019s contact list.(Citation: Lookout ViperRAT)",
"relationship_type": "uses",
"id": "relationship--173c0c41-c7e3-48e9-b785-d9e0232d85ca",
"type": "relationship",
"modified": "2020-09-11T16:22:03.285Z",
"created": "2020-09-11T16:22:03.285Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
"target_ref": "attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2",
"external_references": [
{
"source_name": "Lookout ViperRAT",
"url": "https://blog.lookout.com/viperrat-mobile-apt",
"description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."
}
],
"description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect the device\u2019s cell tower information.(Citation: Lookout ViperRAT)",
"relationship_type": "uses",
"id": "relationship--d358ac0b-4c67-44e3-939b-24cd36d3c3fb",
"type": "relationship",
"modified": "2020-09-11T16:22:03.294Z",
"created": "2020-09-11T16:22:03.294Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"external_references": [
{
"source_name": "Lookout ViperRAT",
"url": "https://blog.lookout.com/viperrat-mobile-apt",
"description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."
}
],
"description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect network configuration data from the device, including phone number, SIM operator, and network operator.(Citation: Lookout ViperRAT)",
"relationship_type": "uses",
"id": "relationship--b6726136-3c20-4921-a0cb-75a66f59107c",
"type": "relationship",
"modified": "2020-09-11T16:22:03.296Z",
"created": "2020-09-11T16:22:03.296Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"external_references": [
{
"source_name": "Lookout ViperRAT",
"url": "https://blog.lookout.com/viperrat-mobile-apt",
"description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."
}
],
"description": "[ViperRAT](https://attack.mitre.org/software/S0506) can track the device\u2019s location.(Citation: Lookout ViperRAT)",
"relationship_type": "uses",
"id": "relationship--7c6207c7-d738-4a17-8380-595c86574b64",
"type": "relationship",
"modified": "2020-09-11T16:22:03.298Z",
"created": "2020-09-11T16:22:03.298Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"external_references": [
{
"source_name": "Lookout ViperRAT",
"url": "https://blog.lookout.com/viperrat-mobile-apt",
"description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."
}
],
"description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect system information, including brand, manufacturer, and serial number.(Citation: Lookout ViperRAT)",
"relationship_type": "uses",
"id": "relationship--6c859d6b-28b1-409d-90ea-d4eba64edf82",
"type": "relationship",
"modified": "2020-09-11T16:22:03.301Z",
"created": "2020-09-11T16:22:03.301Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
"target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
"external_references": [
{
"source_name": "Lookout Desert Scorpion",
"url": "https://blog.lookout.com/desert-scorpion-google-play",
"description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
}
],
"description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can send SMS messages.(Citation: Lookout Desert Scorpion)",
"relationship_type": "uses",
"id": "relationship--c659256c-82e3-4f4c-ac70-3d2400cf6695",
"type": "relationship",
"modified": "2020-09-11T16:23:16.363Z",
"created": "2020-09-11T16:23:16.363Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c",
"target_ref": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2",
"external_references": [
{
"url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/",
"description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.",
"source_name": "ESET-Twitoor"
}
],
"description": "[Twitoor](https://attack.mitre.org/software/S0302) can hide its presence on the system.(Citation: ESET-Twitoor)",
"relationship_type": "uses",
"id": "relationship--7258542e-029b-45b9-be69-6e76d9c93b35",
"type": "relationship",
"modified": "2020-09-30T13:20:00.043Z",
"created": "2020-09-14T13:35:45.886Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"external_references": [
{
"url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/",
"description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.",
"source_name": "ESET-Twitoor"
}
],
"description": "[Twitoor](https://attack.mitre.org/software/S0302) can install attacker-specified applications.(Citation: ESET-Twitoor)",
"relationship_type": "uses",
"id": "relationship--6ee89b0e-a2ab-40c8-88fd-54f974ea00b1",
"type": "relationship",
"modified": "2020-09-14T13:35:45.906Z",
"created": "2020-09-14T13:35:45.906Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c",
"target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84",
"external_references": [
{
"url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/",
"description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.",
"source_name": "ESET-Twitoor"
}
],
"description": "[Twitoor](https://attack.mitre.org/software/S0302) encrypts its C2 communication.(Citation: ESET-Twitoor)",
"relationship_type": "uses",
"id": "relationship--c6464a84-e23b-412f-b435-5b23853d3643",
"type": "relationship",
"modified": "2020-09-30T13:20:00.072Z",
"created": "2020-09-14T13:35:45.909Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c",
"target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380",
"external_references": [
{
"url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/",
"description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.",
"source_name": "ESET-Twitoor"
}
],
"description": "[Twitoor](https://attack.mitre.org/software/S0302) can be controlled via Twitter.(Citation: ESET-Twitoor)",
"relationship_type": "uses",
"id": "relationship--e5113d45-05bd-499f-a2e0-9edc6d7c03b6",
"type": "relationship",
"modified": "2020-09-14T13:35:45.911Z",
"created": "2020-09-14T13:35:45.911Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"external_references": [
{
"source_name": "Lookout eSurv",
"url": "https://blog.lookout.com/esurv-research",
"description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."
}
],
"description": "[eSurv](https://attack.mitre.org/software/S0507) can exfiltrate the device\u2019s contact list.(Citation: Lookout eSurv)",
"relationship_type": "uses",
"id": "relationship--4b838636-bfa4-4592-b72f-3044946b8187",
"type": "relationship",
"modified": "2020-09-14T14:13:45.236Z",
"created": "2020-09-14T14:13:45.236Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"external_references": [
{
"source_name": "Lookout eSurv",
"url": "https://blog.lookout.com/esurv-research",
"description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."
}
],
"description": "[eSurv](https://attack.mitre.org/software/S0507) can record audio.(Citation: Lookout eSurv)",
"relationship_type": "uses",
"id": "relationship--146275c0-b6dd-4700-bded-bc361a67d023",
"type": "relationship",
"modified": "2020-09-14T14:13:45.253Z",
"created": "2020-09-14T14:13:45.253Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"external_references": [
{
"source_name": "Lookout eSurv",
"url": "https://blog.lookout.com/esurv-research",
"description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."
}
],
"description": "[eSurv](https://attack.mitre.org/software/S0507) can track the device\u2019s location.(Citation: Lookout eSurv)",
"relationship_type": "uses",
"id": "relationship--72a88d43-4144-444e-8f71-ac0d19ae3710",
"type": "relationship",
"modified": "2020-09-14T14:13:45.256Z",
"created": "2020-09-14T14:13:45.256Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403",
"target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"external_references": [
{
"source_name": "Lookout eSurv",
"url": "https://blog.lookout.com/esurv-research",
"description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."
}
],
"description": "[eSurv](https://attack.mitre.org/software/S0507) can exfiltrate device pictures.(Citation: Lookout eSurv)",
"relationship_type": "uses",
"id": "relationship--6a4fd7bd-b73b-403b-aff9-8be6bc0afc7b",
"type": "relationship",
"modified": "2020-09-14T14:13:45.259Z",
"created": "2020-09-14T14:13:45.259Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"external_references": [
{
"source_name": "Lookout eSurv",
"url": "https://blog.lookout.com/esurv-research",
"description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."
}
],
"description": "[eSurv](https://attack.mitre.org/software/S0507)\u2019s Android version was available in the Google Play Store.(Citation: Lookout eSurv)",
"relationship_type": "uses",
"id": "relationship--26c224fb-906a-48bd-b550-5608e2492c03",
"type": "relationship",
"modified": "2020-09-14T14:13:45.283Z",
"created": "2020-09-14T14:13:45.283Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"external_references": [
{
"source_name": "Lookout eSurv",
"url": "https://blog.lookout.com/esurv-research",
"description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."
}
],
"description": "[eSurv](https://attack.mitre.org/software/S0507) has exfiltrated data using HTTP PUT requests.(Citation: Lookout eSurv)",
"relationship_type": "uses",
"id": "relationship--f1130c77-3d20-4c41-9e75-1953bf9b8abc",
"type": "relationship",
"modified": "2020-09-14T14:13:45.286Z",
"created": "2020-09-14T14:13:45.286Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403",
"target_ref": "attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31",
"external_references": [
{
"source_name": "Lookout eSurv",
"url": "https://blog.lookout.com/esurv-research",
"description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."
}
],
"description": "[eSurv](https://attack.mitre.org/software/S0507) imposes geo-restrictions when delivering the second stage.(Citation: Lookout eSurv)",
"relationship_type": "uses",
"id": "relationship--10c07066-df05-4dff-bb95-c76be02ea4ef",
"type": "relationship",
"modified": "2020-09-14T14:13:45.291Z",
"created": "2020-09-14T14:13:45.291Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"external_references": [
{
"source_name": "Lookout eSurv",
"url": "https://blog.lookout.com/esurv-research",
"description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."
}
],
"description": "[eSurv](https://attack.mitre.org/software/S0507) has been distributed via phishing websites with geo-restrictions that allow access to only Italian and Turkmenistani mobile carriers. [eSurv](https://attack.mitre.org/software/S0507) can install applications via malicious iOS provisioning profiles containing the developer\u2019s certificate.(Citation: Lookout eSurv)",
"relationship_type": "uses",
"id": "relationship--7e189d23-1317-4c1d-a8b1-c5877eeb7a02",
"type": "relationship",
"modified": "2020-09-14T14:13:45.288Z",
"created": "2020-09-14T14:13:45.288Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"external_references": [
{
"source_name": "Lookout eSurv",
"url": "https://blog.lookout.com/esurv-research",
"description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."
}
],
"description": "[eSurv](https://attack.mitre.org/software/S0507)\u2019s Android version is distributed in three stages: the dropper, the second stage payload, and the third stage payload which is [Exodus](https://attack.mitre.org/software/S0405).(Citation: Lookout eSurv)",
"relationship_type": "uses",
"id": "relationship--fcdc2f1f-9787-4faa-86bf-2ed73f15a576",
"type": "relationship",
"modified": "2020-09-14T15:39:17.961Z",
"created": "2020-09-14T14:13:45.294Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403",
"target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84",
"external_references": [
{
"source_name": "Lookout eSurv",
"url": "https://blog.lookout.com/esurv-research",
"description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."
}
],
"description": "[eSurv](https://attack.mitre.org/software/S0507)\u2019s Android version has used public key encryption and certificate pinning for C2 communication.(Citation: Lookout eSurv)",
"relationship_type": "uses",
"id": "relationship--1a5bde32-aaa9-42d0-ab70-c9f11b0ae81e",
"type": "relationship",
"modified": "2020-09-14T14:13:45.299Z",
"created": "2020-09-14T14:13:45.299Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"external_references": [
{
"source_name": "Lookout eSurv",
"url": "https://blog.lookout.com/esurv-research",
"description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."
}
],
"description": "[eSurv](https://attack.mitre.org/software/S0507)\u2019s iOS version can collect device information.(Citation: Lookout eSurv)",
"relationship_type": "uses",
"id": "relationship--4df6a22e-489f-400c-b953-cc53bfb708a3",
"type": "relationship",
"modified": "2020-09-14T14:13:45.296Z",
"created": "2020-09-14T14:13:45.296Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"external_references": [
{
"source_name": "Cybereason FakeSpy",
"url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world",
"description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."
}
],
"description": "[FakeSpy](https://attack.mitre.org/software/S0509) masquerades as local postal service applications.(Citation: Cybereason FakeSpy)",
"relationship_type": "uses",
"id": "relationship--75d99f9b-aa91-45c0-803e-60f462ee3ab3",
"type": "relationship",
"modified": "2020-09-15T15:18:12.309Z",
"created": "2020-09-15T15:18:12.309Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"external_references": [
{
"source_name": "Cybereason FakeSpy",
"url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world",
"description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."
}
],
"description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect SMS messages.(Citation: Cybereason FakeSpy)",
"relationship_type": "uses",
"id": "relationship--c340b30d-0ad5-4e90-94ce-b6a6b229a7c4",
"type": "relationship",
"modified": "2020-09-15T15:18:12.362Z",
"created": "2020-09-15T15:18:12.362Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
"target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
"external_references": [
{
"source_name": "Cybereason FakeSpy",
"url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world",
"description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."
}
],
"description": "[FakeSpy](https://attack.mitre.org/software/S0509) can send SMS messages.(Citation: Cybereason FakeSpy)",
"relationship_type": "uses",
"id": "relationship--b477afcb-7449-4fae-b4aa-c512c22d7500",
"type": "relationship",
"modified": "2020-09-15T15:18:12.394Z",
"created": "2020-09-15T15:18:12.394Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"external_references": [
{
"source_name": "Cybereason FakeSpy",
"url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world",
"description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."
}
],
"description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect device networking information, including phone number, IMEI, and IMSI.(Citation: Cybereason FakeSpy)",
"relationship_type": "uses",
"id": "relationship--020a1aaa-a444-4f3c-a08b-f1369be276f2",
"type": "relationship",
"modified": "2020-09-15T15:18:12.398Z",
"created": "2020-09-15T15:18:12.398Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"external_references": [
{
"source_name": "Cybereason FakeSpy",
"url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world",
"description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."
}
],
"description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect account information stored on the device, as well as data in external storage.(Citation: Cybereason FakeSpy)",
"relationship_type": "uses",
"id": "relationship--142532a6-bf7c-4b25-be23-16f01160f3c5",
"type": "relationship",
"modified": "2020-09-15T15:18:12.417Z",
"created": "2020-09-15T15:18:12.417Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"external_references": [
{
"source_name": "Cybereason FakeSpy",
"url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world",
"description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."
}
],
"description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect the device\u2019s contact list.(Citation: Cybereason FakeSpy)",
"relationship_type": "uses",
"id": "relationship--ee92911e-e2a2-4b40-916d-ce01b6e897f9",
"type": "relationship",
"modified": "2020-09-15T15:18:12.419Z",
"created": "2020-09-15T15:18:12.419Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"external_references": [
{
"source_name": "Cybereason FakeSpy",
"url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world",
"description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."
}
],
"description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect a list of installed applications.(Citation: Cybereason FakeSpy)",
"relationship_type": "uses",
"id": "relationship--3ca453a4-bd78-4087-a93f-9261fb2e3f00",
"type": "relationship",
"modified": "2020-09-15T15:18:12.421Z",
"created": "2020-09-15T15:18:12.421Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"external_references": [
{
"source_name": "Cybereason FakeSpy",
"url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world",
"description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."
}
],
"description": "[FakeSpy](https://attack.mitre.org/software/S0509) stores its malicious code in encrypted asset files that are decrypted at runtime. Newer versions of [FakeSpy](https://attack.mitre.org/software/S0509) encrypt the C2 address.(Citation: Cybereason FakeSpy)",
"relationship_type": "uses",
"id": "relationship--7696b512-ba2f-4310-86e1-7c528529fc5e",
"type": "relationship",
"modified": "2020-09-15T15:18:12.425Z",
"created": "2020-09-15T15:18:12.425Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
"target_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"external_references": [
{
"source_name": "Cybereason FakeSpy",
"url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world",
"description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."
}
],
"description": "[FakeSpy](https://attack.mitre.org/software/S0509) can register for the `BOOT_COMPLETED` broadcast Intent.(Citation: Cybereason FakeSpy)",
"relationship_type": "uses",
"id": "relationship--3c43d125-6719-420e-bb69-878cc91c2474",
"type": "relationship",
"modified": "2020-09-15T15:18:12.428Z",
"created": "2020-09-15T15:18:12.428Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"external_references": [
{
"source_name": "Cybereason FakeSpy",
"url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world",
"description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."
}
],
"description": "[FakeSpy](https://attack.mitre.org/software/S0509) is spread via direct download links in SMS phishing messages.(Citation: Cybereason FakeSpy)",
"relationship_type": "uses",
"id": "relationship--979e6503-41a2-43f5-a30f-045272faa7d0",
"type": "relationship",
"modified": "2020-09-15T15:18:12.430Z",
"created": "2020-09-15T15:18:12.430Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"external_references": [
{
"source_name": "Cybereason FakeSpy",
"url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world",
"description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."
}
],
"description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect device information, including OS version and device model.(Citation: Cybereason FakeSpy)",
"relationship_type": "uses",
"id": "relationship--873b98de-d7cf-471b-9aa2-229eb03c9165",
"type": "relationship",
"modified": "2020-09-15T15:18:12.459Z",
"created": "2020-09-15T15:18:12.459Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
"target_ref": "attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2",
"external_references": [
{
"source_name": "Cybereason FakeSpy",
"url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world",
"description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."
}
],
"description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect the device\u2019s network information.(Citation: Cybereason FakeSpy)",
"relationship_type": "uses",
"id": "relationship--c9c22e0d-c427-42ef-ae76-beb8ae9f6bf2",
"type": "relationship",
"modified": "2020-09-15T15:18:12.460Z",
"created": "2020-09-15T15:18:12.460Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
"target_ref": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2",
"external_references": [
{
"source_name": "Cybereason FakeSpy",
"url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world",
"description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."
}
],
"description": "[FakeSpy](https://attack.mitre.org/software/S0509) can hide its icon if it detects that it is being run on an emulator.(Citation: Cybereason FakeSpy)",
"relationship_type": "uses",
"id": "relationship--4ae0c45f-4ff0-4296-aaf4-c3e0d2e355e3",
"type": "relationship",
"modified": "2020-10-06T20:09:58.149Z",
"created": "2020-09-15T15:18:12.462Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
"target_ref": "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b",
"external_references": [
{
"source_name": "Cybereason FakeSpy",
"url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world",
"description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."
}
],
"description": "[FakeSpy](https://attack.mitre.org/software/S0509) can detect if it is running in an emulator and adjust its behavior accordingly.(Citation: Cybereason FakeSpy)",
"relationship_type": "uses",
"id": "relationship--66132260-65d1-4bf5-8200-abdb2014be6f",
"type": "relationship",
"modified": "2020-09-15T15:18:12.465Z",
"created": "2020-09-15T15:18:12.465Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"external_references": [
{
"source_name": "Cybereason FakeSpy",
"url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world",
"description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."
}
],
"description": "[FakeSpy](https://attack.mitre.org/software/S0509) exfiltrates data using HTTP requests.(Citation: Cybereason FakeSpy)",
"relationship_type": "uses",
"id": "relationship--fa13936f-9b9d-4b48-a33f-81044f6cdedb",
"type": "relationship",
"modified": "2020-09-15T15:18:12.466Z",
"created": "2020-09-15T15:18:12.466Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"external_references": [
{
"source_name": "TrendMicro-XLoader-FakeSpy",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/",
"description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020."
}
],
"description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) has exfiltrated data using HTTP requests.(Citation: TrendMicro-XLoader-FakeSpy)",
"relationship_type": "uses",
"id": "relationship--f517a7ce-dfdc-4f42-84c1-fef136e2ea19",
"type": "relationship",
"modified": "2020-09-24T15:26:15.607Z",
"created": "2020-09-24T15:26:15.607Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"external_references": [
{
"source_name": "TrendMicro-XLoader-FakeSpy",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/",
"description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020."
}
],
"description": "[XLoader for Android](https://attack.mitre.org/software/S0318) has been distributed via phishing SMS messages, which link to a malicious website hosting a device profile.(Citation: TrendMicro-XLoader-FakeSpy)",
"relationship_type": "uses",
"id": "relationship--a7c74081-2844-4f0a-9fcc-c30a98717798",
"type": "relationship",
"modified": "2020-09-24T15:26:15.629Z",
"created": "2020-09-24T15:26:15.629Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"external_references": [
{
"source_name": "Lookout-Dendroid",
"description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.",
"url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"
}
],
"description": "[Dendroid](https://attack.mitre.org/software/S0301) has been distributed via the Google Play Store.(Citation: Lookout-Dendroid)",
"relationship_type": "uses",
"id": "relationship--5eb0452b-63c2-4f47-8a1e-4268a08f0802",
"type": "relationship",
"modified": "2020-09-24T15:34:51.185Z",
"created": "2020-09-24T15:34:51.185Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
"target_ref": "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b",
"external_references": [
{
"source_name": "Lookout-Dendroid",
"description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.",
"url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"
}
],
"description": "[Dendroid](https://attack.mitre.org/software/S0301) can detect if it is being ran on an emulator.(Citation: Lookout-Dendroid)",
"relationship_type": "uses",
"id": "relationship--15065492-1aef-4cf8-af3c-cc763eee5daf",
"type": "relationship",
"modified": "2020-09-24T15:34:51.213Z",
"created": "2020-09-24T15:34:51.213Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
"target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
"external_references": [
{
"source_name": "Lookout-Dendroid",
"description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.",
"url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"
}
],
"description": "[Dendroid](https://attack.mitre.org/software/S0301) can send and block SMS messages.(Citation: Lookout-Dendroid)",
"relationship_type": "uses",
"id": "relationship--82555171-8b78-40f3-84d9-058359ae808a",
"type": "relationship",
"modified": "2020-09-24T15:34:51.244Z",
"created": "2020-09-24T15:34:51.244Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
"target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"external_references": [
{
"source_name": "Lookout-Dendroid",
"description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.",
"url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"
}
],
"description": "[Dendroid](https://attack.mitre.org/software/S0301) can collect the device\u2019s photos, browser history, bookmarks, and accounts stored on the device.(Citation: Lookout-Dendroid)",
"relationship_type": "uses",
"id": "relationship--6cace9e3-f095-4914-bddc-24cec8bcc859",
"type": "relationship",
"modified": "2020-09-24T15:34:51.276Z",
"created": "2020-09-24T15:34:51.276Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"external_references": [
{
"source_name": "Lookout-Dendroid",
"description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.",
"url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"
}
],
"description": "[Dendroid](https://attack.mitre.org/software/S0301) can intercept SMS messages.(Citation: Lookout-Dendroid)",
"relationship_type": "uses",
"id": "relationship--24de6f6e-86d3-4e4e-a965-3e0435205f48",
"type": "relationship",
"modified": "2020-09-24T15:34:51.298Z",
"created": "2020-09-24T15:34:51.298Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
"target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
"external_references": [
{
"source_name": "Lookout-Dendroid",
"description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.",
"url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"
}
],
"description": "[Dendroid](https://attack.mitre.org/software/S0301) can take photos and record videos.(Citation: Lookout-Dendroid)",
"relationship_type": "uses",
"id": "relationship--e3a961ec-8184-4143-b8c2-c33ea0503678",
"type": "relationship",
"modified": "2020-09-24T15:34:51.315Z",
"created": "2020-09-24T15:34:51.315Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"external_references": [
{
"source_name": "Lookout-Dendroid",
"description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.",
"url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"
}
],
"description": "[Dendroid](https://attack.mitre.org/software/S0301) can record audio and outgoing calls.(Citation: Lookout-Dendroid)",
"relationship_type": "uses",
"id": "relationship--e05b61a4-ba8a-4aa5-813b-ad76de5945a8",
"type": "relationship",
"modified": "2020-09-24T15:34:51.433Z",
"created": "2020-09-24T15:34:51.433Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"external_references": [
{
"source_name": "Lookout-Dendroid",
"description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.",
"url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"
}
],
"description": "[Dendroid](https://attack.mitre.org/software/S0301) can be bound to legitimate applications prior to installation on devices.(Citation: Lookout-Dendroid)",
"relationship_type": "uses",
"id": "relationship--3a869988-15a7-4ec8-9d7b-d460dc0ee494",
"type": "relationship",
"modified": "2020-09-29T13:24:15.284Z",
"created": "2020-09-24T15:34:51.448Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"external_references": [
{
"source_name": "Lookout-Dendroid",
"description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.",
"url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"
}
],
"description": "[Dendroid](https://attack.mitre.org/software/S0301) can open a dialog box to ask the user for passwords.(Citation: Lookout-Dendroid)",
"relationship_type": "uses",
"id": "relationship--455b1287-5784-42b4-91fb-01dac007758d",
"type": "relationship",
"modified": "2020-09-29T13:24:15.234Z",
"created": "2020-09-29T13:24:15.234Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58",
"relationship_type": "mitigates",
"description": "iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.(Citation: Trend Micro iOS URL Hijacking)",
"id": "relationship--37459382-00b7-4699-a294-d25f53bf1096",
"external_references": [
{
"source_name": "Trend Micro iOS URL Hijacking",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/",
"description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020."
}
],
"type": "relationship",
"modified": "2020-10-01T12:42:21.985Z",
"created": "2020-09-30T14:36:43.256Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31",
"relationship_type": "mitigates",
"description": "New OS releases frequently contain additional limitations or controls around device location access.",
"id": "relationship--e373111c-aa34-4686-a286-7c9b4267e246",
"type": "relationship",
"modified": "2020-10-01T12:43:42.238Z",
"created": "2020-09-30T14:48:16.522Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e",
"target_ref": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58",
"relationship_type": "revoked-by",
"id": "relationship--39f46abc-d9e3-463d-9340-3bc8334af314",
"type": "relationship",
"modified": "2020-10-23T15:05:40.967Z",
"created": "2020-10-23T15:05:40.967Z"
},
{
"id": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Application Developer Guidance",
"description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.",
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/M1013",
"external_id": "M1013"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_version": "1.0",
"x_mitre_old_attack_id": "MOB-M1013",
"type": "course-of-action",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:53.732Z"
},
{
"created": "2019-10-18T12:49:58.924Z",
"modified": "2019-10-18T15:53:07.393Z",
"type": "course-of-action",
"id": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"description": "Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.\n\nEnterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.\n\nApplication Vetting is not a complete mitigation. Techniques such as [Detect App Analysis Environment](https://attack.mitre.org/techniques/T1440) exist that can enable adversaries to bypass vetting.",
"name": "Application Vetting",
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "M1005",
"url": "https://attack.mitre.org/mitigations/M1005"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "M1002",
"url": "https://attack.mitre.org/mitigations/M1002"
}
],
"name": "Attestation",
"description": "Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.",
"id": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c",
"type": "course-of-action",
"modified": "2019-10-18T14:52:53.019Z",
"created": "2019-10-18T12:50:35.335Z",
"x_mitre_version": "1.0"
},
{
"id": "course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Caution with Device Administrator Access",
"description": "Warn device users not to accept requests to grant Device Administrator access to applications without good reason.\n\nAdditionally, application vetting should include a check on whether the application requests Device Administrator access. Applications that do request Device Administrator access should be carefully scrutinized and only allowed to be used if a valid reason exists.",
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/M1007",
"external_id": "M1007"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_version": "1.0",
"x_mitre_old_attack_id": "MOB-M1007",
"type": "course-of-action",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:51.365Z"
},
{
"id": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Deploy Compromised Device Detection Method",
"description": "A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.",
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/M1010",
"external_id": "M1010"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_version": "1.0",
"x_mitre_old_attack_id": "MOB-M1010",
"type": "course-of-action",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:52.601Z"
},
{
"id": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Encrypt Network Traffic",
"description": "Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption.\n\niOS's App Transport Security feature can be used to help ensure that all application network traffic is appropriately protected. Apple intends to mandate use of App Transport Security (Citation: TechCrunch-ATS) for all apps in the Apple App Store unless appropriate justification is given.\n\nAndroid's Network Security Configuration feature similarly can be used by app developers to help ensure that all of their application network traffic is appropriately protected (Citation: Android-NetworkSecurityConfig).\n\nUse of Virtual Private Network (VPN) tunnels, e.g. using the IPsec protocol, can help mitigate some types of network attacks as well.",
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/M1009",
"external_id": "M1009"
},
{
"source_name": "TechCrunch-ATS",
"description": "Kate Conger. (2016, June 14). Apple will require HTTPS connections for iOS apps by the end of 2016. Retrieved December 19, 2016.",
"url": "https://techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-apps-by-the-end-of-2016/"
},
{
"source_name": "Android-NetworkSecurityConfig",
"description": "Google. (n.d.). Network Security Configuration. Retrieved December 19, 2016.",
"url": "https://developer.android.com/training/articles/security-config.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_version": "1.0",
"x_mitre_old_attack_id": "MOB-M1009",
"type": "course-of-action",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:50.769Z"
},
{
"id": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Enterprise Policy",
"description": "An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior.",
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/M1012",
"external_id": "M1012"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "course-of-action",
"modified": "2020-06-24T15:08:18.395Z",
"created": "2017-10-25T14:48:53.318Z",
"x_mitre_old_attack_id": "MOB-M1012",
"x_mitre_version": "1.0"
},
{
"id": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Interconnection Filtering",
"description": "In order to mitigate Signaling System 7 (SS7) exploitation, the Communications, Security, Reliability, and Interoperability Council (CSRIC) describes filtering interconnections between network operators to block inappropriate requests (Citation: CSRIC5-WG10-FinalReport).",
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/M1014",
"external_id": "M1014"
},
{
"source_name": "CSRIC5-WG10-FinalReport",
"description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.",
"url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_version": "1.0",
"x_mitre_old_attack_id": "MOB-M1014",
"type": "course-of-action",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:50.181Z"
},
{
"id": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Lock Bootloader",
"description": "On devices that provide the capability to unlock the bootloader (hence allowing any operating system code to be flashed onto the device), perform periodic checks to ensure that the bootloader is locked.",
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/M1003",
"external_id": "M1003"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_version": "1.0",
"x_mitre_old_attack_id": "MOB-M1003",
"type": "course-of-action",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:49.554Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "M1001",
"url": "https://attack.mitre.org/mitigations/M1001"
}
],
"name": "Security Updates",
"description": "Install security updates in response to discovered vulnerabilities.\n\nPurchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.\n\nDecommission devices that will no longer receive security updates.\n\nLimit or block access to enterprise resources from devices that have not installed recent security updates.\n\nOn Android devices, access can be controlled based on each device's security patch level. On iOS devices, access can be controlled based on the iOS version.",
"id": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"type": "course-of-action",
"modified": "2019-10-18T14:56:15.631Z",
"created": "2019-10-18T12:51:36.488Z",
"x_mitre_version": "1.0"
},
{
"id": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "System Partition Integrity",
"description": "Ensure that Android devices being used include and enable the Verified Boot capability, which cryptographically ensures the integrity of the system partition.",
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/M1004",
"external_id": "M1004"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_version": "1.0",
"x_mitre_old_attack_id": "MOB-M1004",
"type": "course-of-action",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:52.270Z"
},
{
"id": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Use Recent OS Version",
"description": "New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.",
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/M1006",
"external_id": "M1006"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_version": "1.0",
"x_mitre_old_attack_id": "MOB-M1006",
"type": "course-of-action",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2017-10-25T14:48:51.657Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "M1011",
"url": "https://attack.mitre.org/mitigations/M1011"
}
],
"name": "User Guidance",
"description": "Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.",
"id": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"type": "course-of-action",
"modified": "2019-10-18T15:51:48.318Z",
"created": "2019-10-18T12:53:03.508Z",
"x_mitre_version": "1.0"
},
{
"id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "The MITRE Corporation",
"identity_class": "organization",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "identity",
"modified": "2017-06-01T00:00:00.000Z",
"created": "2017-06-01T00:00:00.000Z"
},
{
"type": "intrusion-set",
"id": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "APT28",
"description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)\n\n[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). ",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"external_id": "G0007",
"url": "https://attack.mitre.org/groups/G0007",
"source_name": "mitre-attack"
},
{
"source_name": "APT28",
"description": "(Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)"
},
{
"source_name": "SNAKEMACKEREL",
"description": "(Citation: Accenture SNAKEMACKEREL Nov 2018)"
},
{
"source_name": "Swallowtail",
"description": "(Citation: Symantec APT28 Oct 2018)"
},
{
"source_name": "Group 74",
"description": "(Citation: Talos Seduploader Oct 2017)"
},
{
"source_name": "Sednit",
"description": "This designation has been used in reporting both to refer to the threat group and its associated malware JHUHUGIT. (Citation: FireEye APT28 January 2017) (Citation: SecureWorks TG-4127) (Citation: Kaspersky Sofacy) (Citation: Ars Technica GRU indictment Jul 2018)"
},
{
"source_name": "Sofacy",
"description": "This designation has been used in reporting both to refer to the threat group and its associated malware. (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)"
},
{
"source_name": "Pawn Storm",
"description": "(Citation: SecureWorks TG-4127) (Citation: ESET Sednit Part 3)"
},
{
"source_name": "Fancy Bear",
"description": "(Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)"
},
{
"source_name": "STRONTIUM",
"description": "(Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Microsoft STRONTIUM Aug 2019) (Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)"
},
{
"source_name": "Tsar Team",
"description": "(Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)"
},
{
"source_name": "Threat Group-4127",
"description": "(Citation: SecureWorks TG-4127)"
},
{
"source_name": "TG-4127",
"description": "(Citation: SecureWorks TG-4127)"
},
{
"source_name": "NSA/FBI Drovorub August 2020",
"url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF",
"description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020."
},
{
"source_name": "DOJ GRU Indictment Jul 2018",
"description": "Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.",
"url": "https://www.justice.gov/file/1080281/download"
},
{
"url": "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/",
"description": "Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.",
"source_name": "Ars Technica GRU indictment Jul 2018"
},
{
"source_name": "Crowdstrike DNC June 2016",
"description": "Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.",
"url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
},
{
"source_name": "FireEye APT28",
"description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.",
"url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf"
},
{
"url": "https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign",
"description": "SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.",
"source_name": "SecureWorks TG-4127"
},
{
"source_name": "FireEye APT28 January 2017",
"description": "FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.",
"url": "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
},
{
"source_name": "GRIZZLY STEPPE JAR",
"description": "Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE \u2013 Russian Malicious Cyber Activity. Retrieved January 11, 2017.",
"url": "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf"
},
{
"source_name": "Sofacy DealersChoice",
"description": "Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/"
},
{
"source_name": "Palo Alto Sofacy 06-2018",
"description": "Lee, B., Falcone, R. (2018, June 06). Sofacy Group\u2019s Parallel Attacks. Retrieved June 18, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/"
},
{
"source_name": "Symantec APT28 Oct 2018",
"url": "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government",
"description": "Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018."
},
{
"description": "ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.",
"url": "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/",
"source_name": "ESET Zebrocy May 2019"
},
{
"source_name": "US District Court Indictment GRU Oct 2018",
"url": "https://www.justice.gov/opa/page/file/1098481/download",
"description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020."
},
{
"source_name": "Kaspersky Sofacy",
"description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.",
"url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/"
},
{
"source_name": "ESET Sednit Part 3",
"description": "ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.",
"url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf"
},
{
"description": "Mercer, W., et al. (2017, October 22). \"Cyber Conflict\" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.",
"url": "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html",
"source_name": "Talos Seduploader Oct 2017"
},
{
"source_name": "Securelist Sofacy Feb 2018",
"url": "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/",
"description": "Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018."
},
{
"source_name": "Accenture SNAKEMACKEREL Nov 2018",
"url": "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50",
"description": "Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019."
},
{
"description": "MSRC Team. (2019, August 5). Corporate IoT \u2013 a path to intrusion. Retrieved August 16, 2019.",
"url": "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/",
"source_name": "Microsoft STRONTIUM Aug 2019"
},
{
"source_name": "Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020",
"url": "https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/",
"description": "Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020."
}
],
"aliases": [
"APT28",
"SNAKEMACKEREL",
"Swallowtail",
"Group 74",
"Sednit",
"Sofacy",
"Pawn Storm",
"Fancy Bear",
"STRONTIUM",
"Tsar Team",
"Threat Group-4127",
"TG-4127"
],
"modified": "2020-10-06T23:32:21.793Z",
"created": "2017-05-31T21:31:48.664Z",
"x_mitre_contributors": [
"S\u00e9bastien Ruel, CGI",
"Drew Church, Splunk",
"Emily Ratliff, IBM",
"Richard Gold, Digital Shadows"
],
"x_mitre_version": "3.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"external_id": "G0097",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/groups/G0097"
},
{
"source_name": "Trend Micro Bouncing Golf 2019",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
"description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020."
}
],
"description": "[Bouncing Golf](https://attack.mitre.org/groups/G0097) is a cyberespionage campaign targeting Middle Eastern countries.(Citation: Trend Micro Bouncing Golf 2019)",
"name": "Bouncing Golf",
"type": "intrusion-set",
"id": "intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd",
"aliases": [
"Bouncing Golf"
],
"modified": "2020-03-26T20:58:44.722Z",
"created": "2020-01-27T16:55:39.688Z",
"x_mitre_version": "1.0"
},
{
"type": "intrusion-set",
"id": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Dark Caracal",
"description": "[Dark Caracal](https://attack.mitre.org/groups/G0070) is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. (Citation: Lookout Dark Caracal Jan 2018)",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/groups/G0070",
"external_id": "G0070"
},
{
"source_name": "Dark Caracal",
"description": "(Citation: Lookout Dark Caracal Jan 2018)"
},
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"source_name": "Lookout Dark Caracal Jan 2018"
}
],
"aliases": [
"Dark Caracal"
],
"modified": "2020-06-03T20:22:40.401Z",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_version": "1.2"
},
{
"created": "2017-10-25T14:48:47.965Z",
"modified": "2019-10-15T19:55:04.407Z",
"labels": [
"malware"
],
"type": "malware",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0310",
"external_id": "S0310"
},
{
"source_name": "ANDROIDOS_ANSERVER.A",
"description": "(Citation: TrendMicro-Anserver)"
},
{
"source_name": "TrendMicro-Anserver",
"description": "Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/"
}
],
"description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) is Android malware that is unique because it uses encrypted content within a blog site for command and control. (Citation: TrendMicro-Anserver)",
"name": "ANDROIDOS_ANSERVER.A",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8",
"x_mitre_aliases": [
"ANDROIDOS_ANSERVER.A"
],
"x_mitre_version": "1.3",
"x_mitre_old_attack_id": "MOB-S0026",
"x_mitre_platforms": [
"Android"
]
},
{
"id": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Adups",
"description": "[Adups](https://attack.mitre.org/software/S0309) is software that was pre-installed onto Android devices, including those made by BLU Products. The software was reportedly designed to help a Chinese phone manufacturer monitor user behavior, transferring sensitive data to a Chinese server. (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0309",
"external_id": "S0309"
},
{
"source_name": "Adups",
"description": "(Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)"
},
{
"source_name": "NYTimes-BackDoor",
"description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.",
"url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"
},
{
"source_name": "BankInfoSecurity-BackDoor",
"description": "Jeremy Kirk. (2016, November 16). Why Did Chinese Spyware Linger in U.S. Phones?. Retrieved February 6, 2017.",
"url": "http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Adups"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0025",
"x_mitre_platforms": [
"Android"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2017-10-25T14:48:47.038Z"
},
{
"external_references": [
{
"external_id": "S0440",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0440"
},
{
"source_name": "CheckPoint Agent Smith",
"url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/",
"description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Agent Smith](https://attack.mitre.org/software/S0440) is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 [Agent Smith](https://attack.mitre.org/software/S0440) had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.(Citation: CheckPoint Agent Smith)",
"name": "Agent Smith",
"id": "malware--a6228601-03f6-4949-ae22-c1087627a637",
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-06-17T12:49:21.423Z",
"created": "2020-05-07T15:18:34.417Z",
"x_mitre_contributors": [
"Aviran Hazum, Check Point",
"Sergey Persikov, Check Point"
],
"x_mitre_version": "1.0",
"x_mitre_aliases": [
"Agent Smith"
],
"x_mitre_platforms": [
"Android"
]
},
{
"id": "malware--08784a9d-09e9-4dce-a839-9612398214e8",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Allwinner",
"description": "[Allwinner](https://attack.mitre.org/software/S0319) is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) for use on these devices reportedly contained a backdoor. (Citation: HackerNews-Allwinner)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0319",
"external_id": "S0319"
},
{
"source_name": "Allwinner",
"description": "(Citation: HackerNews-Allwinner)"
},
{
"source_name": "HackerNews-Allwinner",
"description": "Mohit Kumar. (2016, May 11). Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker. Retrieved September 18, 2018.",
"url": "https://thehackernews.com/2016/05/android-kernal-exploit.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Allwinner"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0035",
"x_mitre_platforms": [
"Android"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "AndroRAT",
"description": "[AndroRAT](https://attack.mitre.org/software/S0292) is malware that allows a third party to control the device and collect information. (Citation: Lookout-EnterpriseApps)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0292",
"external_id": "S0292"
},
{
"source_name": "AndroRAT",
"description": "(Citation: Lookout-EnterpriseApps)"
},
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"AndroRAT"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0008",
"x_mitre_platforms": [
"Android"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2017-10-25T14:48:47.363Z"
},
{
"id": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Android/Chuli.A",
"description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) is Android malware that was delivered to activist groups via a spearphishing email with an attachment. (Citation: Kaspersky-WUC)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0304",
"external_id": "S0304"
},
{
"source_name": "Android/Chuli.A",
"description": "(Citation: Kaspersky-WUC)"
},
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2019-10-15T20:31:25.864Z",
"created": "2017-10-25T14:48:45.482Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_old_attack_id": "MOB-S0020",
"x_mitre_version": "1.2",
"x_mitre_aliases": [
"Android/Chuli.A"
]
},
{
"external_references": [
{
"external_id": "S0422",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0422"
},
{
"source_name": "Cofense Anubis",
"url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/",
"description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Anubis](https://attack.mitre.org/software/S0422) is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.(Citation: Cofense Anubis)",
"name": "Anubis",
"id": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-09-11T15:42:15.261Z",
"created": "2020-04-08T15:41:19.114Z",
"x_mitre_version": "1.1",
"x_mitre_aliases": [
"Anubis"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_contributors": [
"Aviran Hazum, Check Point",
"Sergey Persikov, Check Point"
]
},
{
"id": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "BrainTest",
"description": "[BrainTest](https://attack.mitre.org/software/S0293) is a family of Android malware. (Citation: CheckPoint-BrainTest) (Citation: Lookout-BrainTest)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0293",
"external_id": "S0293"
},
{
"source_name": "BrainTest",
"description": "(Citation: CheckPoint-BrainTest) (Citation: Lookout-BrainTest)"
},
{
"source_name": "CheckPoint-BrainTest",
"description": "Andrey Polkovnichenko and Alon Boxiner. (2015, September 21). BrainTest \u2013 A New Level of Sophistication in Mobile Malware. Retrieved December 21, 2016.",
"url": "http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/"
},
{
"source_name": "Lookout-BrainTest",
"description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"BrainTest"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0009",
"x_mitre_platforms": [
"Android"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2017-10-25T14:48:47.674Z"
},
{
"external_references": [
{
"external_id": "S0432",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0432"
},
{
"source_name": "Joker",
"description": "(Citation: Google Bread)"
},
{
"source_name": "Google Bread",
"url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html",
"description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Bread](https://attack.mitre.org/software/S0432) was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store\u2019s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.(Citation: Google Bread)",
"name": "Bread",
"id": "malware--108b2817-bc01-404e-8e1b-8cdeec846326",
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-10-14T14:42:53.609Z",
"created": "2020-05-04T14:04:55.823Z",
"x_mitre_contributors": [
"Sergey Persikov, Check Point",
"Jonathan Shimonovich, Check Point",
"Aviran Hazum, Check Point"
],
"x_mitre_version": "1.1",
"x_mitre_aliases": [
"Bread",
"Joker"
],
"x_mitre_platforms": [
"Android"
]
},
{
"external_references": [
{
"external_id": "S0480",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0480"
},
{
"source_name": "Threat Fabric Cerberus",
"url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
"description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Cerberus",
"description": "[Cerberus](https://attack.mitre.org/software/S0480) is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of [Cerberus](https://attack.mitre.org/software/S0480) claim was used in private operations for two years.(Citation: Threat Fabric Cerberus)",
"id": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-09-11T15:43:49.079Z",
"created": "2020-06-26T15:32:24.569Z",
"x_mitre_version": "1.1",
"x_mitre_aliases": [
"Cerberus"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_contributors": [
"Aviran Hazum, Check Point",
"Sergey Persikov, Check Point"
]
},
{
"id": "malware--d1c600f8-0fb6-4367-921b-85b71947d950",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Charger",
"description": "[Charger](https://attack.mitre.org/software/S0323) is Android malware that steals steals contacts and SMS messages from the user's device. It can also lock the device and demand ransom payment if it receives admin permissions. (Citation: CheckPoint-Charger)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0323",
"external_id": "S0323"
},
{
"source_name": "Charger",
"description": "(Citation: CheckPoint-Charger)"
},
{
"url": "http://blog.checkpoint.com/2017/01/24/charger-malware/",
"description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.",
"source_name": "CheckPoint-Charger"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2019-10-09T14:51:42.697Z",
"created": "2017-10-25T14:48:39.631Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_old_attack_id": "MOB-S0039",
"x_mitre_version": "1.1",
"x_mitre_aliases": [
"Charger"
]
},
{
"id": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853",
"name": "Concipit1248",
"description": "[Concipit1248](https://attack.mitre.org/software/S0426) is iOS spyware that was discovered using the same name as the developer of the Android spyware [Corona Updates](https://attack.mitre.org/software/S0425). Further investigation revealed that the two pieces of software contained the same C2 URL and similar functionality.(Citation: TrendMicro Coronavirus Updates)",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"external_id": "S0426",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0426"
},
{
"source_name": "Corona Updates",
"description": "(Citation: TrendMicro Coronavirus Updates)"
},
{
"source_name": "TrendMicro Coronavirus Updates",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
"description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
}
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-04-30T18:30:05.787Z",
"created": "2020-04-24T15:12:10.817Z",
"x_mitre_platforms": [
"iOS"
],
"x_mitre_aliases": [
"Concipit1248",
"Corona Updates"
],
"x_mitre_version": "1.0"
},
{
"id": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
"name": "Corona Updates",
"description": "[Corona Updates](https://attack.mitre.org/software/S0425) is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.(Citation: TrendMicro Coronavirus Updates)",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"external_id": "S0425",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0425"
},
{
"source_name": "Wabi Music",
"description": "(Citation: TrendMicro Coronavirus Updates)"
},
{
"source_name": "Concipit1248",
"description": "(Citation: TrendMicro Coronavirus Updates)"
},
{
"source_name": "TrendMicro Coronavirus Updates",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
"description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
}
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-09-11T15:45:38.235Z",
"created": "2020-04-24T15:06:32.870Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_aliases": [
"Corona Updates",
"Wabi Music",
"Concipit1248"
],
"x_mitre_version": "1.1"
},
{
"external_references": [
{
"external_id": "S0479",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0479"
},
{
"source_name": "ESET DEFENSOR ID",
"url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/",
"description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) is a banking trojan capable of clearing a victim\u2019s bank account or cryptocurrency wallet and taking over email or social media accounts. [DEFENSOR ID](https://attack.mitre.org/software/S0479) performs the majority of its malicious functionality by abusing Android\u2019s accessibility service.(Citation: ESET DEFENSOR ID) ",
"name": "DEFENSOR ID",
"id": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663",
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-06-26T20:16:31.850Z",
"created": "2020-06-26T15:12:39.648Z",
"x_mitre_version": "1.0",
"x_mitre_aliases": [
"DEFENSOR ID"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_contributors": [
"Luk\u00e1\u0161 \u0160tefanko, ESET"
]
},
{
"id": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Dendroid",
"description": "[Dendroid](https://attack.mitre.org/software/S0301) is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.(Citation: Lookout-Dendroid)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0301",
"external_id": "S0301"
},
{
"source_name": "Dendroid",
"description": "(Citation: Lookout-Dendroid)"
},
{
"source_name": "Lookout-Dendroid",
"description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.",
"url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-09-29T13:24:14.934Z",
"created": "2017-10-25T14:48:37.438Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_old_attack_id": "MOB-S0017",
"x_mitre_version": "2.0",
"x_mitre_aliases": [
"Dendroid"
]
},
{
"external_references": [
{
"external_id": "S0505",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0505"
},
{
"source_name": "Lookout Desert Scorpion",
"url": "https://blog.lookout.com/desert-scorpion-google-play",
"description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. [Desert Scorpion](https://attack.mitre.org/software/S0505) is suspected to have been operated by the threat actor APT-C-23.(Citation: Lookout Desert Scorpion) ",
"name": "Desert Scorpion",
"id": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-09-11T16:23:16.039Z",
"created": "2020-09-11T14:54:16.188Z",
"x_mitre_version": "1.0",
"x_mitre_aliases": [
"Desert Scorpion"
],
"x_mitre_platforms": [
"Android"
]
},
{
"id": "malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "DressCode",
"description": "[DressCode](https://attack.mitre.org/software/S0300) is an Android malware family. (Citation: TrendMicro-DressCode)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0300",
"external_id": "S0300"
},
{
"source_name": "DressCode",
"description": "(Citation: TrendMicro-DressCode)"
},
{
"source_name": "TrendMicro-DressCode",
"description": "Echo Duan. (2016, September 29). DressCode and its Potential Impact for Enterprises. Retrieved December 22, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"DressCode"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0016",
"x_mitre_platforms": [
"Android"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2017-10-25T14:48:37.856Z"
},
{
"id": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "DroidJack",
"description": "[DroidJack](https://attack.mitre.org/software/S0320) is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. (Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0320",
"external_id": "S0320"
},
{
"source_name": "DroidJack",
"description": "(Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)"
},
{
"url": "https://www.zscaler.com/blogs/research/super-mario-run-malware-2-\u2013-droidjack-rat",
"description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.",
"source_name": "Zscaler-SuperMarioRun"
},
{
"url": "https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app",
"description": "Proofpoint. (2016, July 7). DroidJack Uses Side-Load\u2026It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017.",
"source_name": "Proofpoint-Droidjack"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2019-08-09T18:02:06.618Z",
"created": "2017-10-25T14:48:40.571Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_old_attack_id": "MOB-S0036",
"x_mitre_version": "1.2",
"x_mitre_aliases": [
"DroidJack"
]
},
{
"id": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "DualToy",
"description": "[DualToy](https://attack.mitre.org/software/S0315) is Windows malware that installs malicious applications onto Android and iOS devices connected over USB. (Citation: PaloAlto-DualToy)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0315",
"external_id": "S0315"
},
{
"source_name": "DualToy",
"description": "(Citation: PaloAlto-DualToy)"
},
{
"source_name": "PaloAlto-DualToy",
"description": "Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"DualToy"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0031",
"x_mitre_platforms": [
"Android",
"iOS"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2017-10-25T14:48:41.721Z"
},
{
"id": "malware--22b596a6-d288-4409-8520-5f2846f85514",
"name": "Dvmap",
"description": "[Dvmap](https://attack.mitre.org/software/S0420) is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.(Citation: SecureList DVMap June 2017)",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"external_id": "S0420",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0420"
},
{
"description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.",
"url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/",
"source_name": "SecureList DVMap June 2017"
}
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-01-22T22:17:23.015Z",
"created": "2019-12-10T16:07:40.664Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_aliases": [
"Dvmap"
],
"x_mitre_version": "1.0"
},
{
"external_references": [
{
"external_id": "S0478",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0478"
},
{
"source_name": "Cybereason EventBot",
"url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
"description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[EventBot](https://attack.mitre.org/software/S0478) is an Android banking trojan and information stealer that abuses Android\u2019s accessibility service to steal data from various applications.(Citation: Cybereason EventBot) [EventBot](https://attack.mitre.org/software/S0478) was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.(Citation: Cybereason EventBot)",
"name": "EventBot",
"id": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-06-26T21:01:58.595Z",
"created": "2020-06-26T14:55:12.847Z",
"x_mitre_version": "1.0",
"x_mitre_aliases": [
"EventBot"
],
"x_mitre_platforms": [
"Android"
]
},
{
"external_references": [
{
"external_id": "S0405",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0405"
},
{
"source_name": "Exodus One",
"description": "(Citation: SWB Exodus March 2019)"
},
{
"source_name": "Exodus Two",
"description": "(Citation: SWB Exodus March 2019)"
},
{
"source_name": "SWB Exodus March 2019",
"url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
"description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Exodus](https://attack.mitre.org/software/S0405) is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).(Citation: SWB Exodus March 2019)",
"name": "Exodus",
"id": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
"type": "malware",
"labels": [
"malware"
],
"modified": "2019-10-14T17:15:52.191Z",
"created": "2019-09-03T19:45:47.826Z",
"x_mitre_version": "1.0",
"x_mitre_aliases": [
"Exodus",
"Exodus One",
"Exodus Two"
],
"x_mitre_platforms": [
"Android"
]
},
{
"external_references": [
{
"external_id": "S0509",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0509"
},
{
"source_name": "Cybereason FakeSpy",
"url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world",
"description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[FakeSpy](https://attack.mitre.org/software/S0509) is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.(Citation: Cybereason FakeSpy)",
"name": "FakeSpy",
"id": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-10-06T20:09:57.659Z",
"created": "2020-09-15T15:18:11.971Z",
"x_mitre_version": "1.0",
"x_mitre_aliases": [
"FakeSpy"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_contributors": [
"Ofir Almkias, Cybereason"
]
},
{
"created": "2018-01-16T16:13:52.465Z",
"modified": "2020-03-30T15:32:08.360Z",
"labels": [
"malware"
],
"type": "malware",
"id": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "FinFisher",
"description": "[FinFisher](https://attack.mitre.org/software/S0182) is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including [Wingbird](https://attack.mitre.org/software/S0176). (Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017) (Citation: Microsoft FinFisher March 2018)",
"external_references": [
{
"external_id": "S0182",
"url": "https://attack.mitre.org/software/S0182",
"source_name": "mitre-attack"
},
{
"source_name": "FinFisher",
"description": "(Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017)"
},
{
"source_name": "FinSpy",
"description": "(Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017)"
},
{
"url": "http://www.finfisher.com/FinFisher/index.html",
"description": "FinFisher. (n.d.). Retrieved December 20, 2017.",
"source_name": "FinFisher Citation"
},
{
"source_name": "Microsoft SIR Vol 21",
"description": "Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.",
"url": "http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf"
},
{
"url": "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html",
"description": "Jiang, G., et al. (2017, September 12). FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY. Retrieved February 15, 2018.",
"source_name": "FireEye FinSpy Sept 2017"
},
{
"source_name": "Securelist BlackOasis Oct 2017",
"description": "Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.",
"url": "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/"
},
{
"url": "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/",
"description": "Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher\u2019s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.",
"source_name": "Microsoft FinFisher March 2018"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Windows",
"Android"
],
"x_mitre_aliases": [
"FinFisher",
"FinSpy"
],
"x_mitre_version": "1.3"
},
{
"id": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
"name": "Ginp",
"description": "[Ginp](https://attack.mitre.org/software/S0423) is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from [Anubis](https://attack.mitre.org/software/S0422).(Citation: ThreatFabric Ginp)",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"external_id": "S0423",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0423"
},
{
"description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.",
"url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html",
"source_name": "ThreatFabric Ginp"
}
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-09-11T15:50:18.707Z",
"created": "2020-04-08T15:51:24.862Z",
"x_mitre_contributors": [
"Aviran Hazum, Check Point",
"Sergey Persikov, Check Point"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_aliases": [
"Ginp"
],
"x_mitre_version": "1.1"
},
{
"external_references": [
{
"external_id": "S0421",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0421"
},
{
"source_name": "Trend Micro Bouncing Golf 2019",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
"description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[GolfSpy](https://attack.mitre.org/software/S0421) is Android spyware deployed by the group [Bouncing Golf](https://attack.mitre.org/groups/G0097).(Citation: Trend Micro Bouncing Golf 2019)",
"name": "GolfSpy",
"id": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-03-26T20:50:07.023Z",
"created": "2020-01-27T17:05:57.712Z",
"x_mitre_version": "1.0",
"x_mitre_aliases": [
"GolfSpy"
],
"x_mitre_platforms": [
"Android"
]
},
{
"id": "malware--20d56cd6-8dff-4871-9889-d32d254816de",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Gooligan",
"description": "[Gooligan](https://attack.mitre.org/software/S0290) is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. [Gooligan](https://attack.mitre.org/software/S0290) has been described as part of the Ghost Push Android malware family. (Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0290",
"external_id": "S0290"
},
{
"source_name": "Gooligan",
"description": "(Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)"
},
{
"source_name": "Ghost Push",
"description": "Gooligan has been described as being part of the Ghost Push Android malware family. (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)"
},
{
"url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/",
"description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.",
"source_name": "Gooligan Citation"
},
{
"url": "https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi",
"description": "Adrian Ludwig. (2016, November 29). The fight against Ghost Push continues. Retrieved December 12, 2016.",
"source_name": "Ludwig-GhostPush"
},
{
"url": "https://blog.lookout.com/blog/2016/12/01/ghost-push-gooligan/",
"description": "Lookout. (2016, December 1). Ghost Push and Gooligan: One and the same. Retrieved December 12, 2016.",
"source_name": "Lookout-Gooligan"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2019-10-10T15:18:50.693Z",
"created": "2017-10-25T14:48:43.242Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_old_attack_id": "MOB-S0006",
"x_mitre_version": "1.2",
"x_mitre_aliases": [
"Gooligan",
"Ghost Push"
]
},
{
"external_references": [
{
"external_id": "S0406",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0406"
},
{
"source_name": "Talos Gustuff Apr 2019",
"url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
"description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Gustuff](https://attack.mitre.org/software/S0406) is mobile malware designed to steal users' banking and virtual currency credentials.(Citation: Talos Gustuff Apr 2019)",
"name": "Gustuff",
"id": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
"type": "malware",
"labels": [
"malware"
],
"modified": "2019-10-14T19:14:17.007Z",
"created": "2019-09-03T20:08:00.241Z",
"x_mitre_version": "1.0",
"x_mitre_aliases": [
"Gustuff"
],
"x_mitre_platforms": [
"Android"
]
},
{
"id": "malware--c8770c81-c29f-40d2-a140-38544206b2b4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "HummingBad",
"description": "[HummingBad](https://attack.mitre.org/software/S0322) is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android. (Citation: ArsTechnica-HummingBad)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0322",
"external_id": "S0322"
},
{
"source_name": "HummingBad",
"description": "(Citation: ArsTechnica-HummingBad)"
},
{
"source_name": "ArsTechnica-HummingBad",
"description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.",
"url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"HummingBad"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0038",
"x_mitre_platforms": [
"Android"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2017-10-25T14:48:42.948Z"
},
{
"id": "malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "HummingWhale",
"description": "[HummingWhale](https://attack.mitre.org/software/S0321) is an Android malware family that performs ad fraud. (Citation: ArsTechnica-HummingWhale)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0321",
"external_id": "S0321"
},
{
"source_name": "HummingWhale",
"description": "(Citation: ArsTechnica-HummingWhale)"
},
{
"source_name": "ArsTechnica-HummingWhale",
"description": "Dan Goodin. (2017, January 23). Virulent Android malware returns, gets >2 million downloads on Google Play. Retrieved January 24, 2017.",
"url": "http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"HummingWhale"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0037",
"x_mitre_platforms": [
"Android"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2017-10-25T14:48:40.259Z"
},
{
"external_references": [
{
"external_id": "S0463",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0463"
},
{
"source_name": "Volexity Insomnia",
"url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/",
"description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[INSOMNIA](https://attack.mitre.org/software/S0463) is spyware that has been used by the group Evil Eye.(Citation: Volexity Insomnia)",
"name": "INSOMNIA",
"id": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-06-24T18:24:35.433Z",
"created": "2020-06-02T14:32:31.461Z",
"x_mitre_version": "1.0",
"x_mitre_aliases": [
"INSOMNIA"
],
"x_mitre_platforms": [
"iOS"
]
},
{
"id": "malware--172444ab-97fc-4d94-b142-179452bfb760",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Judy",
"description": "[Judy](https://attack.mitre.org/software/S0325) is auto-clicking adware that was distributed through multiple apps in the Google Play Store. (Citation: CheckPoint-Judy)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0325",
"external_id": "S0325"
},
{
"source_name": "Judy",
"description": "(Citation: CheckPoint-Judy)"
},
{
"source_name": "CheckPoint-Judy",
"description": "CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018.",
"url": "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Judy"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0041",
"x_mitre_platforms": [
"Android"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "KeyRaider",
"description": "[KeyRaider](https://attack.mitre.org/software/S0288) is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality. (Citation: Xiao-KeyRaider)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0288",
"external_id": "S0288"
},
{
"source_name": "KeyRaider",
"description": "(Citation: Xiao-KeyRaider)"
},
{
"source_name": "Xiao-KeyRaider",
"description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"KeyRaider"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0004",
"x_mitre_platforms": [
"iOS"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2017-10-25T14:48:43.815Z"
},
{
"id": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
"name": "Mandrake",
"description": "[Mandrake](https://attack.mitre.org/software/S0485) is a sophisticated Android espionage platform that has been active in the wild since at least 2016. [Mandrake](https://attack.mitre.org/software/S0485) is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.\n\n[Mandrake](https://attack.mitre.org/software/S0485) has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.(Citation: Bitdefender Mandrake)",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"external_id": "S0485",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0485"
},
{
"source_name": "oxide",
"description": "(Citation: Bitdefender Mandrake)"
},
{
"source_name": "briar",
"description": "(Citation: Bitdefender Mandrake)"
},
{
"source_name": "ricinus",
"description": "(Citation: Bitdefender Mandrake)"
},
{
"source_name": "darkmatter",
"description": "(Citation: Bitdefender Mandrake)"
},
{
"source_name": "Bitdefender Mandrake",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
"description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
}
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-09-11T15:52:12.097Z",
"created": "2020-07-15T20:20:58.846Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_aliases": [
"Mandrake",
"oxide",
"briar",
"ricinus",
"darkmatter"
],
"x_mitre_version": "1.0"
},
{
"id": "malware--f9854ba6-989d-43bf-828b-7240b8a65291",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Marcher",
"description": "[Marcher](https://attack.mitre.org/software/S0317) is Android malware that is used for financial fraud. (Citation: Proofpoint-Marcher)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0317",
"external_id": "S0317"
},
{
"source_name": "Marcher",
"description": "(Citation: Proofpoint-Marcher)"
},
{
"source_name": "Proofpoint-Marcher",
"description": "Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018.",
"url": "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Marcher"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0033",
"x_mitre_platforms": [
"Android"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "MazarBOT",
"description": "[MazarBOT](https://attack.mitre.org/software/S0303) is Android malware that was distributed via SMS in Denmark in 2016. (Citation: Tripwire-MazarBOT)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0303",
"external_id": "S0303"
},
{
"source_name": "MazarBOT",
"description": "(Citation: Tripwire-MazarBOT)"
},
{
"source_name": "Tripwire-MazarBOT",
"description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.",
"url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"MazarBOT"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0019",
"x_mitre_platforms": [
"Android"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2017-10-25T14:48:40.875Z"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/software/S0407",
"source_name": "mitre-attack",
"external_id": "S0407"
},
{
"source_name": "Lookout-Monokle",
"url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
"description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Monokle](https://attack.mitre.org/software/S0407) is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.(Citation: Lookout-Monokle)",
"name": "Monokle",
"id": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-01-21T15:30:39.236Z",
"created": "2019-09-04T14:28:14.181Z",
"x_mitre_version": "1.1",
"x_mitre_aliases": [
"Monokle"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_contributors": [
"J\u00f6rg Abraham, EclecticIQ"
]
},
{
"id": "malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "NotCompatible",
"description": "[NotCompatible](https://attack.mitre.org/software/S0299) is an Android malware family that was used between at least 2014 and 2016. It has multiple variants that have become more sophisticated over time. (Citation: Lookout-NotCompatible)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0299",
"external_id": "S0299"
},
{
"source_name": "NotCompatible",
"description": "(Citation: Lookout-NotCompatible)"
},
{
"source_name": "Lookout-NotCompatible",
"description": "Tim Strazzere. (2014, November 19). The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks. Retrieved December 22, 2016.",
"url": "https://blog.lookout.com/blog/2014/11/19/notcompatible/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"NotCompatible"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0015",
"x_mitre_platforms": [
"Android"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2017-10-25T14:48:36.707Z"
},
{
"id": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "OBAD",
"description": "OBAD is an Android malware family. (Citation: TrendMicro-Obad)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0286",
"external_id": "S0286"
},
{
"source_name": "OBAD",
"description": "(Citation: TrendMicro-Obad)"
},
{
"source_name": "TrendMicro-Obad",
"description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"OBAD"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0002",
"x_mitre_platforms": [
"Android"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2017-10-25T14:48:44.540Z"
},
{
"id": "malware--2074b2ad-612e-4758-adce-7901c1b49bbc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "OldBoot",
"description": "[OldBoot](https://attack.mitre.org/software/S0285) is an Android malware family. (Citation: HackerNews-OldBoot)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0285",
"external_id": "S0285"
},
{
"source_name": "OldBoot",
"description": "(Citation: HackerNews-OldBoot)"
},
{
"source_name": "HackerNews-OldBoot",
"description": "Sudhir K Bansal. (2014, January 28). First widely distributed Android bootkit Malware infects more than 350,000 Devices. Retrieved December 21, 2016.",
"url": "http://thehackernews.com/2014/01/first-widely-distributed-android.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"OldBoot"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0001",
"x_mitre_platforms": [
"Android"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2017-10-25T14:48:45.155Z"
},
{
"id": "malware--c709da93-20c3-4d17-ab68-48cba76b2137",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "PJApps",
"description": "[PJApps](https://attack.mitre.org/software/S0291) is an Android malware family. (Citation: Lookout-EnterpriseApps)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0291",
"external_id": "S0291"
},
{
"source_name": "PJApps",
"description": "(Citation: Lookout-EnterpriseApps)"
},
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"PJApps"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0007",
"x_mitre_platforms": [
"Android"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2017-10-25T14:48:43.527Z"
},
{
"external_references": [
{
"external_id": "S0399",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0399"
},
{
"source_name": "Pallas",
"description": "(Citation: Lookout Dark Caracal Jan 2018)"
},
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"source_name": "Lookout Dark Caracal Jan 2018"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pallas](https://attack.mitre.org/software/S0399) is mobile surveillanceware that was custom-developed by [Dark Caracal](https://attack.mitre.org/groups/G0070).(Citation: Lookout Dark Caracal Jan 2018)",
"name": "Pallas",
"id": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"type": "malware",
"labels": [
"malware"
],
"modified": "2019-09-18T20:17:17.744Z",
"created": "2019-07-10T15:35:43.217Z",
"x_mitre_version": "1.1",
"x_mitre_aliases": [
"Pallas"
],
"x_mitre_platforms": [
"Android"
]
},
{
"id": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Pegasus for Android",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) is the Android version of malware that has reportedly been linked to the NSO Group. (Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor) The iOS version is tracked separately under [Pegasus for iOS](https://attack.mitre.org/software/S0289).",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0316",
"external_id": "S0316"
},
{
"source_name": "Pegasus for Android",
"description": "(Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor)"
},
{
"source_name": "Chrysaor",
"description": "(Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor)"
},
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
},
{
"source_name": "Google-Chrysaor",
"description": "Rich Cannings et al.. (2017, April 3). An investigation of Chrysaor Malware on Android. Retrieved April 16, 2017.",
"url": "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2019-08-09T17:52:31.636Z",
"created": "2017-10-25T14:48:41.202Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_old_attack_id": "MOB-S0032",
"x_mitre_version": "1.2",
"x_mitre_aliases": [
"Pegasus for Android",
"Chrysaor"
]
},
{
"id": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Pegasus for iOS",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims. (Citation: Lookout-Pegasus) (Citation: PegasusCitizenLab) The Android version is tracked separately under [Pegasus for Android](https://attack.mitre.org/software/S0316).",
"external_references": [
{
"external_id": "S0289",
"url": "https://attack.mitre.org/software/S0289",
"source_name": "mitre-mobile-attack"
},
{
"description": "(Citation: Lookout-Pegasus) (Citation: PegasusCitizenLab)",
"source_name": "Pegasus for iOS"
},
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"source_name": "Lookout-Pegasus"
},
{
"url": "https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/",
"description": "Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group\u2019s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.",
"source_name": "PegasusCitizenLab"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-01-24T13:55:33.492Z",
"created": "2017-10-25T14:48:44.238Z",
"x_mitre_platforms": [
"iOS"
],
"x_mitre_old_attack_id": "MOB-S0005",
"x_mitre_version": "1.1",
"x_mitre_aliases": [
"Pegasus for iOS"
]
},
{
"id": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "RCSAndroid",
"description": "[RCSAndroid](https://attack.mitre.org/software/S0295) is Android malware. (Citation: TrendMicro-RCSAndroid)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0295",
"external_id": "S0295"
},
{
"source_name": "RCSAndroid",
"description": "(Citation: TrendMicro-RCSAndroid)"
},
{
"source_name": "TrendMicro-RCSAndroid",
"description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2019-10-10T15:22:52.282Z",
"created": "2017-10-25T14:48:38.274Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_old_attack_id": "MOB-S0011",
"x_mitre_version": "1.2",
"x_mitre_aliases": [
"RCSAndroid"
]
},
{
"id": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "RedDrop",
"description": "[RedDrop](https://attack.mitre.org/software/S0326) is an Android malware family that exfiltrates sensitive data from devices. (Citation: Wandera-RedDrop)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0326",
"external_id": "S0326"
},
{
"source_name": "RedDrop",
"description": "(Citation: Wandera-RedDrop)"
},
{
"source_name": "Wandera-RedDrop",
"description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.",
"url": "https://www.wandera.com/reddrop-malware/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2019-10-15T19:56:13.028Z",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_old_attack_id": "MOB-S0042",
"x_mitre_version": "1.2",
"x_mitre_aliases": [
"RedDrop"
]
},
{
"external_references": [
{
"external_id": "S0403",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0403"
},
{
"description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.",
"url": "https://securelist.com/mobile-banker-riltok/91374/",
"source_name": "Kaspersky Riltok June 2019"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Riltok](https://attack.mitre.org/software/S0403) is banking malware that uses phishing popups to collect user credentials.(Citation: Kaspersky Riltok June 2019)",
"name": "Riltok",
"id": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424",
"type": "malware",
"labels": [
"malware"
],
"modified": "2019-09-18T13:44:13.080Z",
"created": "2019-08-07T15:57:12.877Z",
"x_mitre_version": "1.0",
"x_mitre_aliases": [
"Riltok"
],
"x_mitre_platforms": [
"Android"
]
},
{
"id": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
"name": "Rotexy",
"description": "[Rotexy](https://attack.mitre.org/software/S0411) is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.(Citation: securelist rotexy 2018)",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"external_id": "S0411",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0411"
},
{
"source_name": "securelist rotexy 2018",
"url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
"description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019."
}
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-09-11T15:53:38.216Z",
"created": "2019-09-23T13:36:07.816Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_aliases": [
"Rotexy"
],
"x_mitre_version": "1.1"
},
{
"id": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "RuMMS",
"description": "[RuMMS](https://attack.mitre.org/software/S0313) is an Android malware family. (Citation: FireEye-RuMMS)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0313",
"external_id": "S0313"
},
{
"source_name": "RuMMS",
"description": "(Citation: FireEye-RuMMS)"
},
{
"source_name": "FireEye-RuMMS",
"description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"RuMMS"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0029",
"x_mitre_platforms": [
"Android"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2017-10-25T14:48:48.917Z"
},
{
"id": "malware--c80a6bef-b3ce-44d0-b113-946e93124898",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "ShiftyBug",
"description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is an auto-rooting adware family of malware for Android. The family is very similar to the other Android families known as Shedun, Shuanet, Kemoge, though it is not believed all the families were created by the same group. (Citation: Lookout-Adware)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0294",
"external_id": "S0294"
},
{
"source_name": "ShiftyBug",
"description": "(Citation: Lookout-Adware)"
},
{
"source_name": "Lookout-Adware",
"description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"ShiftyBug"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0010",
"x_mitre_platforms": [
"Android"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2017-10-25T14:48:38.690Z"
},
{
"id": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7",
"name": "SimBad",
"description": "[SimBad](https://attack.mitre.org/software/S0419) was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name \"SimBad\" was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.(Citation: CheckPoint SimBad 2019)",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"external_id": "S0419",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0419"
},
{
"description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.",
"url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/",
"source_name": "CheckPoint SimBad 2019"
}
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-01-27T17:01:31.634Z",
"created": "2019-11-21T19:16:34.526Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_aliases": [
"SimBad"
],
"x_mitre_version": "1.0"
},
{
"id": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Skygofree",
"description": "[Skygofree](https://attack.mitre.org/software/S0327) is Android spyware that is believed to have been developed in 2014 and used through at least 2017. (Citation: Kaspersky-Skygofree)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0327",
"external_id": "S0327"
},
{
"source_name": "Skygofree",
"description": "(Citation: Kaspersky-Skygofree)"
},
{
"source_name": "Kaspersky-Skygofree",
"description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.",
"url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2019-10-15T19:33:42.064Z",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_old_attack_id": "MOB-S0043",
"x_mitre_version": "1.2",
"x_mitre_aliases": [
"Skygofree"
]
},
{
"id": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "SpyDealer",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) is Android malware that exfiltrates sensitive data from Android devices. (Citation: PaloAlto-SpyDealer)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0324",
"external_id": "S0324"
},
{
"source_name": "SpyDealer",
"description": "(Citation: PaloAlto-SpyDealer)"
},
{
"source_name": "PaloAlto-SpyDealer",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2019-10-15T19:37:21.120Z",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_old_attack_id": "MOB-S0040",
"x_mitre_version": "1.2",
"x_mitre_aliases": [
"SpyDealer"
]
},
{
"id": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "SpyNote RAT",
"description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) (Remote Access Trojan) is a family of malicious Android apps. The [SpyNote RAT](https://attack.mitre.org/software/S0305) builder tool can be used to develop malicious apps with the malware's functionality. (Citation: Zscaler-SpyNote)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0305",
"external_id": "S0305"
},
{
"source_name": "SpyNote RAT",
"description": "(Citation: Zscaler-SpyNote)"
},
{
"url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app",
"description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.",
"source_name": "Zscaler-SpyNote"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2019-10-10T15:24:08.969Z",
"created": "2017-10-25T14:48:45.794Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_old_attack_id": "MOB-S0021",
"x_mitre_version": "1.2",
"x_mitre_aliases": [
"SpyNote RAT"
]
},
{
"id": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Stealth Mango",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as [Tangelo](https://attack.mitre.org/software/S0329) is believed to be from the same developer. (Citation: Lookout-StealthMango)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0328",
"external_id": "S0328"
},
{
"source_name": "Stealth Mango",
"description": "(Citation: Lookout-StealthMango)"
},
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"source_name": "Lookout-StealthMango"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-09-11T15:55:43.283Z",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_old_attack_id": "MOB-S0044",
"x_mitre_version": "1.3",
"x_mitre_aliases": [
"Stealth Mango"
]
},
{
"id": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Tangelo",
"description": "[Tangelo](https://attack.mitre.org/software/S0329) is iOS malware that is believed to be from the same developers as the [Stealth Mango](https://attack.mitre.org/software/S0328) Android malware. It is not a mobile application, but rather a Debian package that can only run on jailbroken iOS devices. (Citation: Lookout-StealthMango)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0329",
"external_id": "S0329"
},
{
"source_name": "Tangelo",
"description": "(Citation: Lookout-StealthMango)"
},
{
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"source_name": "Lookout-StealthMango"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2019-10-10T15:27:21.781Z",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_platforms": [
"iOS"
],
"x_mitre_old_attack_id": "MOB-S0045",
"x_mitre_version": "1.2",
"x_mitre_aliases": [
"Tangelo"
]
},
{
"external_references": [
{
"external_id": "S0424",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0424"
},
{
"description": "Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.",
"url": "https://www.kaspersky.com/blog/triada-trojan/11481/",
"source_name": "Kaspersky Triada March 2016"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Triada](https://attack.mitre.org/software/S0424) was first reported in 2016 as a second stage malware. Later versions in 2019 appeared with new techniques and as an initial downloader of other Trojan apps.(Citation: Kaspersky Triada March 2016)",
"name": "Triada",
"id": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52",
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-05-28T16:52:37.979Z",
"created": "2019-07-16T14:33:12.034Z",
"x_mitre_version": "1.0",
"x_mitre_aliases": [
"Triada"
],
"x_mitre_platforms": [
"Android"
]
},
{
"external_references": [
{
"external_id": "S0427",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0427"
},
{
"source_name": "SecurityIntelligence TrickMo",
"url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
"description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "TrickMo",
"description": "[TrickMo](https://attack.mitre.org/software/S0427) a 2FA bypass mobile banking trojan, most likely being distributed by [TrickBot](https://attack.mitre.org/software/S0266). [TrickMo](https://attack.mitre.org/software/S0427) has been primarily targeting users located in Germany.(Citation: SecurityIntelligence TrickMo)\n\n[TrickMo](https://attack.mitre.org/software/S0427) is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.(Citation: SecurityIntelligence TrickMo) ",
"id": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-09-11T15:57:37.561Z",
"created": "2020-04-24T17:46:31.111Z",
"x_mitre_version": "1.1",
"x_mitre_aliases": [
"TrickMo"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_contributors": [
"Ohad Mana, Check Point",
"Aviran Hazum, Check Point",
"Sergey Persikov, Check Point"
]
},
{
"id": "malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Trojan-SMS.AndroidOS.Agent.ao",
"description": "[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) is Android malware. (Citation: Kaspersky-MobileMalware)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0307",
"external_id": "S0307"
},
{
"source_name": "Trojan-SMS.AndroidOS.Agent.ao",
"description": "(Citation: Kaspersky-MobileMalware)"
},
{
"source_name": "Kaspersky-MobileMalware",
"description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.",
"url": "https://securelist.com/mobile-malware-evolution-2013/58335/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Trojan-SMS.AndroidOS.Agent.ao"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0023",
"x_mitre_platforms": [
"Android"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2017-10-25T14:48:46.411Z"
},
{
"id": "malware--28e39395-91e7-4f02-b694-5e079c964da9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Trojan-SMS.AndroidOS.FakeInst.a",
"description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) is Android malware. (Citation: Kaspersky-MobileMalware)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0306",
"external_id": "S0306"
},
{
"source_name": "Trojan-SMS.AndroidOS.FakeInst.a",
"description": "(Citation: Kaspersky-MobileMalware)"
},
{
"source_name": "Kaspersky-MobileMalware",
"description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.",
"url": "https://securelist.com/mobile-malware-evolution-2013/58335/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Trojan-SMS.AndroidOS.FakeInst.a"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0022",
"x_mitre_platforms": [
"Android"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2017-10-25T14:48:46.107Z"
},
{
"id": "malware--d89c132d-7752-4c7f-9372-954a71522985",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Trojan-SMS.AndroidOS.OpFake.a",
"description": "[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) is Android malware. (Citation: Kaspersky-MobileMalware)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0308",
"external_id": "S0308"
},
{
"source_name": "Trojan-SMS.AndroidOS.OpFake.a",
"description": "(Citation: Kaspersky-MobileMalware)"
},
{
"source_name": "Kaspersky-MobileMalware",
"description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.",
"url": "https://securelist.com/mobile-malware-evolution-2013/58335/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Trojan-SMS.AndroidOS.OpFake.a"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0024",
"x_mitre_platforms": [
"Android"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2017-10-25T14:48:46.734Z"
},
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0302",
"external_id": "S0302"
},
{
"source_name": "Twitoor",
"description": "(Citation: ESET-Twitoor)"
},
{
"url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/",
"description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.",
"source_name": "ESET-Twitoor"
}
],
"description": "[Twitoor](https://attack.mitre.org/software/S0302) is a dropper application capable of receiving commands from social media.(Citation: ESET-Twitoor)",
"name": "Twitoor",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"id": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c",
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-09-30T13:19:59.692Z",
"created": "2017-10-25T14:48:42.313Z",
"x_mitre_aliases": [
"Twitoor"
],
"x_mitre_version": "2.0",
"x_mitre_old_attack_id": "MOB-S0018",
"x_mitre_platforms": [
"Android"
]
},
{
"external_references": [
{
"external_id": "S0418",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0418"
},
{
"source_name": "ViceLeaker",
"description": "(Citation: SecureList - ViceLeaker 2019)"
},
{
"source_name": "Triout",
"description": "(Citation: SecureList - ViceLeaker 2019)"
},
{
"description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.",
"url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/",
"source_name": "SecureList - ViceLeaker 2019"
},
{
"source_name": "Bitdefender - Triout 2018",
"url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/",
"description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[ViceLeaker](https://attack.mitre.org/software/S0418) is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)",
"name": "ViceLeaker",
"id": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-03-26T19:00:42.233Z",
"created": "2019-11-21T16:42:48.203Z",
"x_mitre_version": "1.0",
"x_mitre_aliases": [
"ViceLeaker",
"Triout"
],
"x_mitre_platforms": [
"Android"
]
},
{
"external_references": [
{
"external_id": "S0506",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0506"
},
{
"source_name": "Lookout ViperRAT",
"url": "https://blog.lookout.com/viperrat-mobile-apt",
"description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[ViperRAT](https://attack.mitre.org/software/S0506) is sophisticated surveillanceware that has been in operation since at least 2015 and was used to target the Israeli Defense Force.(Citation: Lookout ViperRAT) ",
"name": "ViperRAT",
"id": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-09-29T20:03:42.662Z",
"created": "2020-09-11T16:22:02.954Z",
"x_mitre_version": "1.0",
"x_mitre_aliases": [
"ViperRAT"
],
"x_mitre_platforms": [
"Android"
]
},
{
"id": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "WireLurker",
"description": "[WireLurker](https://attack.mitre.org/software/S0312) is a family of macOS malware that targets iOS devices connected over USB. (Citation: PaloAlto-WireLurker)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0312",
"external_id": "S0312"
},
{
"source_name": "WireLurker",
"description": "(Citation: PaloAlto-WireLurker)"
},
{
"source_name": "PaloAlto-WireLurker",
"description": "Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"WireLurker"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0028",
"x_mitre_platforms": [
"iOS"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2017-10-25T14:48:37.020Z"
},
{
"external_references": [
{
"external_id": "S0489",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0489"
},
{
"source_name": "Talos-WolfRAT",
"url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
"description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[WolfRAT](https://attack.mitre.org/software/S0489) is malware based on a leaked version of [Dendroid](https://attack.mitre.org/software/S0301) that has primarily targeted Thai users. [WolfRAT](https://attack.mitre.org/software/S0489) has most likely been operated by the now defunct organization Wolf Research.(Citation: Talos-WolfRAT) ",
"name": "WolfRAT",
"id": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-09-11T15:58:40.564Z",
"created": "2020-07-20T13:27:33.113Z",
"x_mitre_version": "1.0",
"x_mitre_aliases": [
"WolfRAT"
],
"x_mitre_platforms": [
"Android"
]
},
{
"id": "malware--56660521-6db4-4e5a-a927-464f22954b7c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "X-Agent for Android",
"description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. (Citation: CrowdStrike-Android) Is it tracked separately from the [CHOPSTICK](https://attack.mitre.org/software/S0023).",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0314",
"external_id": "S0314"
},
{
"source_name": "X-Agent for Android",
"description": "(Citation: CrowdStrike-Android)"
},
{
"source_name": "CrowdStrike-Android",
"description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.",
"url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"X-Agent for Android"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0030",
"x_mitre_platforms": [
"Android"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2017-10-25T14:48:42.034Z"
},
{
"id": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "XLoader for Android",
"description": "[XLoader for Android](https://attack.mitre.org/software/S0318) is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.(Citation: TrendMicro-XLoader-FakeSpy)(Citation: TrendMicro-XLoader) It is tracked separately from the [XLoader for iOS](https://attack.mitre.org/software/S0490).",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0318",
"external_id": "S0318"
},
{
"source_name": "XLoader for Android",
"description": "(Citation: TrendMicro-XLoader)"
},
{
"source_name": "TrendMicro-XLoader-FakeSpy",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/",
"description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020."
},
{
"source_name": "TrendMicro-XLoader",
"description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-10-16T01:46:53.625Z",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_platforms": [
"Android"
],
"x_mitre_old_attack_id": "MOB-S0034",
"x_mitre_version": "2.0",
"x_mitre_aliases": [
"XLoader for Android"
]
},
{
"external_references": [
{
"external_id": "S0490",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0490"
},
{
"source_name": "TrendMicro-XLoader-FakeSpy",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/",
"description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) is a malicious iOS application that is capable of gathering system information.(Citation: TrendMicro-XLoader-FakeSpy) It is tracked separately from the [XLoader for Android](https://attack.mitre.org/software/S0318).",
"name": "XLoader for iOS",
"id": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f",
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-10-16T01:48:10.412Z",
"created": "2020-07-20T13:58:53.422Z",
"x_mitre_version": "1.0",
"x_mitre_aliases": [
"XLoader for iOS"
],
"x_mitre_platforms": [
"iOS"
]
},
{
"id": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "XcodeGhost",
"description": "[XcodeGhost](https://attack.mitre.org/software/S0297) is iOS malware that infected at least 39 iOS apps in 2015 and potentially affected millions of users. (Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0297",
"external_id": "S0297"
},
{
"source_name": "XcodeGhost",
"description": "(Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)"
},
{
"source_name": "PaloAlto-XcodeGhost1",
"description": "Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/"
},
{
"source_name": "PaloAlto-XcodeGhost",
"description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"XcodeGhost"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0013",
"x_mitre_platforms": [
"iOS"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2017-10-25T14:48:42.661Z"
},
{
"id": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "YiSpecter",
"description": "[YiSpecter](https://attack.mitre.org/software/S0311) iOS malware that affects both jailbroken and non-jailbroken iOS devices. It is also unique because it abuses private APIs in the iOS system to implement functionality. (Citation: PaloAlto-YiSpecter)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0311",
"external_id": "S0311"
},
{
"source_name": "YiSpecter",
"description": "(Citation: PaloAlto-YiSpecter)"
},
{
"source_name": "PaloAlto-YiSpecter",
"description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved January 20, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"YiSpecter"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0027",
"x_mitre_platforms": [
"iOS"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2017-10-25T14:48:48.301Z"
},
{
"created": "2020-07-27T14:14:56.729Z",
"modified": "2020-08-11T14:23:15.002Z",
"labels": [
"malware"
],
"type": "malware",
"id": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40",
"name": "Zen",
"description": "[Zen](https://attack.mitre.org/software/S0494) is Android malware that was first seen in 2013.(Citation: Google Security Zen)",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"external_id": "S0494",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0494"
},
{
"source_name": "Google Security Zen",
"url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html",
"description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020."
}
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_aliases": [
"Zen"
],
"x_mitre_version": "1.0"
},
{
"id": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "ZergHelper",
"description": "[ZergHelper](https://attack.mitre.org/software/S0287) is iOS riskware that was unique due to its apparent evasion of Apple's App Store review process. No malicious functionality was identified in the app, but it presents security risks. (Citation: Xiao-ZergHelper)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0287",
"external_id": "S0287"
},
{
"source_name": "ZergHelper",
"description": "(Citation: Xiao-ZergHelper)"
},
{
"source_name": "Xiao-ZergHelper",
"description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"ZergHelper"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0003",
"x_mitre_platforms": [
"iOS"
],
"type": "malware",
"labels": [
"malware"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2017-10-25T14:48:44.853Z"
},
{
"external_references": [
{
"external_id": "S0507",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0507"
},
{
"source_name": "Lookout eSurv",
"url": "https://blog.lookout.com/esurv-research",
"description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[eSurv](https://attack.mitre.org/software/S0507) is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.(Citation: Lookout eSurv)",
"name": "eSurv",
"id": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403",
"type": "malware",
"labels": [
"malware"
],
"modified": "2020-09-14T15:39:17.698Z",
"created": "2020-09-14T14:13:45.032Z",
"x_mitre_version": "1.0",
"x_mitre_aliases": [
"eSurv"
],
"x_mitre_platforms": [
"Android",
"iOS"
]
},
{
"external_references": [
{
"external_id": "S0408",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0408"
},
{
"description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.",
"url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf",
"source_name": "FortiGuard-FlexiSpy"
},
{
"source_name": "CyberMerchants-FlexiSpy",
"url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html",
"description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019."
},
{
"source_name": "FlexiSpy-Website",
"url": "https://www.flexispy.com/",
"description": "FlexiSpy. (n.d.). FlexiSpy. Retrieved September 4, 2019."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[FlexiSpy](https://attack.mitre.org/software/S0408) is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.(Citation: FortiGuard-FlexiSpy)(Citation: CyberMerchants-FlexiSpy)\n\n[FlexiSpy](https://attack.mitre.org/software/S0408) markets itself as a parental control and employee monitoring application.(Citation: FlexiSpy-Website)",
"name": "FlexiSpy",
"id": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
"type": "tool",
"labels": [
"tool"
],
"modified": "2019-10-14T18:08:28.349Z",
"created": "2019-09-04T15:38:56.070Z",
"x_mitre_version": "1.0",
"x_mitre_aliases": [
"FlexiSpy"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_contributors": [
"Emily Ratliff, IBM"
]
},
{
"id": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Xbot",
"description": "[Xbot](https://attack.mitre.org/software/S0298) is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. (Citation: PaloAlto-Xbot)",
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0298",
"external_id": "S0298"
},
{
"source_name": "Xbot",
"description": "(Citation: PaloAlto-Xbot)"
},
{
"source_name": "PaloAlto-Xbot",
"description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Xbot"
],
"x_mitre_version": "1.1",
"x_mitre_old_attack_id": "MOB-S0014",
"x_mitre_platforms": [
"Android"
],
"type": "tool",
"labels": [
"tool"
],
"modified": "2018-12-11T20:40:31.461Z",
"created": "2017-10-25T14:48:48.609Z"
},
{
"id": "x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Collection",
"description": "The adversary is trying to gather data of interest to their goal.\n\nCollection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.",
"external_references": [
{
"external_id": "TA0035",
"url": "https://attack.mitre.org/tactics/TA0035",
"source_name": "mitre-attack"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_shortname": "collection",
"type": "x-mitre-tactic",
"modified": "2020-01-27T14:06:10.915Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Command and Control",
"description": "The adversary is trying to communicate with compromised devices to control them.\n\nThe command and control tactic represents how adversaries communicate with systems under their control within a target network. There are many ways an adversary can establish command and control with various levels of covertness, depending on system configuration and network topology. Due to the wide degree of variation available to the adversary at the network level, only the most common factors were used to describe the differences in command and control. There are still a great many specific techniques within the documented methods, largely due to how easy it is to define new protocols and use existing, legitimate protocols and network services for communication. \n\nThe resulting breakdown should help convey the concept that detecting intrusion through command and control protocols without prior knowledge is a difficult proposition over the long term. Adversaries' main constraints in network-level defense avoidance are testing and deployment of tools to rapidly change their protocols, awareness of existing defensive technologies, and access to legitimate Web services that, when used appropriately, make their tools difficult to distinguish from benign traffic.\n\nAdditionally, in the mobile environment, mobile devices are frequently connected to networks outside enterprise control such as cellular networks or public Wi-Fi networks. Adversaries could attempt to evade detection by communicating on these networks, and potentially even by using non-Internet Protocol mechanisms such as Short Message Service (SMS). However, cellular networks often have data caps and/or extra data charges that could increase the potential for adversarial communication to be detected.",
"external_references": [
{
"external_id": "TA0037",
"url": "https://attack.mitre.org/tactics/TA0037",
"source_name": "mitre-attack"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_shortname": "command-and-control",
"type": "x-mitre-tactic",
"modified": "2020-01-27T14:06:59.132Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Credential Access",
"description": "The adversary is trying to steal account names, passwords, or other secrets that enable access to resources.\n\nCredential access represents techniques that can be used by adversaries to obtain access to or control over passwords, tokens, cryptographic keys, or other values that could be used by an adversary to gain unauthorized access to resources. Credential access allows the adversary to assume the identity of an account, with all of that account's permissions on the system and network, and makes it harder for defenders to detect the adversary. With sufficient access within a network, an adversary can create accounts for later use within the environment.",
"external_references": [
{
"external_id": "TA0031",
"url": "https://attack.mitre.org/tactics/TA0031",
"source_name": "mitre-attack"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_shortname": "credential-access",
"type": "x-mitre-tactic",
"modified": "2020-01-27T14:05:02.718Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Defense Evasion",
"description": " The adversary is trying to avoid being detected.\n\nDefense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. Defense evasion may be considered a set of attributes the adversary applies to all other phases of the operation.",
"external_references": [
{
"external_id": "TA0030",
"url": "https://attack.mitre.org/tactics/TA0030",
"source_name": "mitre-attack"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_shortname": "defense-evasion",
"type": "x-mitre-tactic",
"modified": "2020-01-27T14:04:46.497Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Discovery",
"description": "The adversary is trying to figure out your environment.\n\nDiscovery consists of techniques that allow the adversary to gain knowledge about the characteristics of the mobile device and potentially other networked systems. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system may provide capabilities that aid in this post-compromise information-gathering phase.",
"external_references": [
{
"external_id": "TA0032",
"url": "https://attack.mitre.org/tactics/TA0032",
"source_name": "mitre-attack"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_shortname": "discovery",
"type": "x-mitre-tactic",
"modified": "2020-01-27T16:09:00.466Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"external_id": "TA0041",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/tactics/TA0041"
}
],
"name": "Execution",
"description": "The adversary is trying to run malicious code.\n\nExecution consists of techniques that result in adversary-controlled code running on a mobile device. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data.",
"id": "x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756",
"type": "x-mitre-tactic",
"modified": "2020-01-27T14:00:49.089Z",
"created": "2020-01-27T14:00:49.089Z",
"x_mitre_shortname": "execution"
},
{
"id": "x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Exfiltration",
"description": "The adversary is trying to steal data.\n\nExfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from the targeted mobile device.\n\nIn the mobile environment, mobile devices are frequently connected to networks outside enterprise control such as cellular networks or public Wi-Fi networks. Adversaries could attempt to evade detection by communicating on these networks, and potentially even by using non-Internet Protocol mechanisms such as Short Message Service (SMS). However, cellular networks often have data caps and/or extra data charges that could increase the potential for adversarial communication to be detected.",
"external_references": [
{
"external_id": "TA0036",
"url": "https://attack.mitre.org/tactics/TA0036",
"source_name": "mitre-attack"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_shortname": "exfiltration",
"type": "x-mitre-tactic",
"modified": "2020-01-27T14:06:42.009Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Impact",
"description": "The adversary is trying to manipulate, interrupt, or destroy your devices and data.\n\nThe impact tactic consists of techniques used by the adversary to execute his or her mission objectives but that do not cleanly fit into another category such as Collection. Mission objectives vary based on each adversary's goals, but examples include toll fraud, destruction of device data, or locking the user out of his or her device until a ransom is paid.",
"external_references": [
{
"external_id": "TA0034",
"url": "https://attack.mitre.org/tactics/TA0034",
"source_name": "mitre-attack"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_shortname": "impact",
"type": "x-mitre-tactic",
"modified": "2020-01-27T16:09:15.308Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Initial Access",
"description": "The adversary is trying to get into your device.\n\nThe initial access tactic represents the vectors adversaries use to gain an initial foothold onto a mobile device.",
"external_references": [
{
"external_id": "TA0027",
"url": "https://attack.mitre.org/tactics/TA0027",
"source_name": "mitre-attack"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_shortname": "initial-access",
"type": "x-mitre-tactic",
"modified": "2020-01-27T14:02:36.744Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Lateral Movement",
"description": "The adversary is trying to move through your environment.\n\nLateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool.",
"external_references": [
{
"external_id": "TA0033",
"url": "https://attack.mitre.org/tactics/TA0033",
"source_name": "mitre-attack"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_shortname": "lateral-movement",
"type": "x-mitre-tactic",
"modified": "2020-01-27T14:05:37.854Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Network Effects",
"description": "The adversary is trying to intercept or manipulate network traffic to or from a device.\n\nThis category refers to network-based techniques that an adversary may be able to use to fulfill his or her objectives without access to the mobile device itself. These include techniques to intercept or manipulate network traffic to and from the mobile device.",
"external_references": [
{
"external_id": "TA0038",
"url": "https://attack.mitre.org/tactics/TA0038",
"source_name": "mitre-attack"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_shortname": "network-effects",
"type": "x-mitre-tactic",
"modified": "2020-01-27T14:07:12.472Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Persistence",
"description": " The adversary is trying to maintain their foothold.\n\nPersistence is any access, action, or configuration change to a mobile device that gives an attacker a persistent presence on the device. Attackers often will need to maintain access to mobile devices through interruptions such as device reboots and potentially even factory data resets.",
"external_references": [
{
"external_id": "TA0028",
"url": "https://attack.mitre.org/tactics/TA0028",
"source_name": "mitre-attack"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_shortname": "persistence",
"type": "x-mitre-tactic",
"modified": "2020-01-27T14:03:15.455Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Privilege Escalation",
"description": " The adversary is trying to gain higher-level permissions.\n\nPrivilege escalation includes techniques that allow an attacker to obtain a higher level of permissions on the mobile device. Attackers may enter the mobile device with very limited privileges and may be required to take advantage of a device weakness to obtain higher privileges necessary to successfully carry out their mission objectives.",
"external_references": [
{
"external_id": "TA0029",
"url": "https://attack.mitre.org/tactics/TA0029",
"source_name": "mitre-attack"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_shortname": "privilege-escalation",
"type": "x-mitre-tactic",
"modified": "2020-01-27T14:03:49.343Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Remote Service Effects",
"description": "The adversary is trying to control or monitor the device using remote services.\n\nThis category refers to techniques involving remote services, such as vendor-provided cloud services (e.g. Google Drive, Google Find My Device, or Apple iCloud), or enterprise mobility management (EMM)/mobile device management (MDM) services that an adversary may be able to use to fulfill his or her objectives without access to the mobile device itself.",
"external_references": [
{
"external_id": "TA0039",
"url": "https://attack.mitre.org/tactics/TA0039",
"source_name": "mitre-attack"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_shortname": "remote-service-effects",
"type": "x-mitre-tactic",
"modified": "2020-01-27T14:07:26.209Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff021c95b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Device Access",
"description": "Below are the tactics and techniques representing the two MITRE ATT&CK Matrices for Mobile. The Matrices cover techniques involving device access and network-based effects that can be used by adversaries without device access. The Matrices contains information for the following platforms: Android, iOS.",
"external_references": [
{
"external_id": "mobile-attack",
"url": "https://attack.mitre.org/matrices/mobile",
"source_name": "mitre-attack"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "x-mitre-matrix",
"tactic_refs": [
"x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6",
"x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756",
"x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54",
"x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8",
"x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df",
"x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10",
"x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1",
"x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f",
"x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba",
"x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3",
"x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981",
"x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e"
],
"modified": "2020-10-23T15:05:40.962Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"id": "x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd5494fc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Network-Based Effects",
"description": "Below are the tactics and techniques representing the two MITRE ATT&CK Matrices for Mobile. The Matrices cover techniques involving device access and network-based effects that can be used by adversaries without device access. The Matrices contains information for the following platforms: Android, iOS.",
"external_references": [
{
"external_id": "mobile-attack",
"url": "https://attack.mitre.org/matrices/mobile",
"source_name": "mitre-attack"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "x-mitre-matrix",
"tactic_refs": [
"x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210",
"x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17"
],
"modified": "2020-07-02T14:18:17.535Z",
"created": "2018-10-17T00:14:20.652Z"
},
{
"type": "marking-definition",
"id": "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-06-01T00:00:00Z",
"definition_type": "statement",
"definition": {
"statement": "Copyright 2015-2020, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation."
}
}
]
}