{ "type": "bundle", "id": "bundle--13bb4ad6-7ab7-4e72-8093-1671dd1697ae", "spec_version": "2.0", "objects": [ { "modified": "2023-03-16T18:31:37.189Z", "name": "Call Control", "description": "Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.\n\nSeveral permissions may be used to programmatically control phone calls, including:\n\n* `ANSWER_PHONE_CALLS` - Allows the application to answer incoming phone calls(Citation: Android Permissions)\n* `CALL_PHONE` - Allows the application to initiate a phone call without going through the Dialer interface(Citation: Android Permissions)\n* `PROCESS_OUTGOING_CALLS` - Allows the application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether(Citation: Android Permissions)\n* `MANAGE_OWN_CALLS` - Allows a calling application which manages its own calls through the self-managed `ConnectionService` APIs(Citation: Android Permissions)\n* `BIND_TELECOM_CONNECTION_SERVICE` - Required permission when using a `ConnectionService`(Citation: Android Permissions)\n* `WRITE_CALL_LOG` - Allows an application to write to the device call log, potentially to hide malicious phone calls(Citation: Android Permissions)\n\nWhen granted some of these permissions, an application can make a phone call without opening the dialer first. However, if an application desires to simply redirect the user to the dialer with a phone number filled in, it can launch an Intent using `Intent.ACTION_DIAL`, which requires no specific permissions. This then requires the user to explicitly initiate the call or use some form of [Input Injection](https://attack.mitre.org/techniques/T1516) to programmatically initiate it.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_contributors": [ "Gaetan van Diemen, ThreatFabric" ], "x_mitre_deprecated": false, "x_mitre_detection": "Users can view their default phone app in device settings. Users can review available call logs for irregularities, such as missing or unrecognized calls.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "created": "2021-09-20T13:42:20.824Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1616", "external_id": "T1616" }, { "source_name": "Android Permissions", "description": "Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021.", "url": "https://developer.android.com/reference/android/Manifest.permission" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-41.html", "external_id": "APP-41" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-42.html", "external_id": "CEL-42" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-36.html", "external_id": "CEL-36" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-18.html", "external_id": "CEL-18" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] }