{ "type": "bundle", "id": "bundle--eb94af3a-7838-4380-9f08-5d9142bc7b40", "objects": [ { "tactic_refs": [ "x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210", "x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "x-mitre-matrix", "id": "x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd5494fc", "created": "2018-10-17T00:14:20.652Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "mobile-attack", "url": "https://attack.mitre.org/matrices/mobile-attack" } ], "x_mitre_deprecated": true, "revoked": false, "description": "Below are the tactics and techniques representing the two MITRE ATT&CK Matrices for Mobile. The Matrices cover techniques involving device access and network-based effects that can be used by adversaries without device access. The Matrices contains information for the following platforms: Android, iOS.", "modified": "2022-04-06T15:44:04.736Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Network-Based Effects", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "tactic_refs": [ "x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6", "x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756", "x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54", "x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8", "x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df", "x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10", "x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1", "x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f", "x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba", "x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3", "x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981", "x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "x-mitre-matrix", "id": "x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff021c95b", "created": "2018-10-17T00:14:20.652Z", "x_mitre_version": "2.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "mobile-attack", "url": "https://attack.mitre.org/matrices/mobile-attack" } ], "x_mitre_deprecated": false, "revoked": false, "description": "Below are the tactics and technique representing the MITRE ATT&CK Matrix for Mobile. The Matrix contains information for the following platforms: Android, iOS.", "modified": "2022-04-06T15:43:22.080Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Mobile ATT&CK", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "type": "course-of-action", "created": "2017-10-25T14:48:51.657Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1006", "external_id": "M1006" } ], "modified": "2018-10-17T00:14:20.652Z", "name": "Use Recent OS Version", "description": "New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d", "created": "2019-10-18T12:49:58.924Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1005", "url": "https://attack.mitre.org/mitigations/M1005" } ], "x_mitre_deprecated": true, "revoked": false, "description": "Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.\n\nEnterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.\n\nApplication Vetting is not a complete mitigation. Techniques such as [Evade Analysis Environment](https://attack.mitre.org/techniques/T1523) exist that can enable adversaries to bypass vetting.", "modified": "2022-04-06T14:47:46.019Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Application Vetting", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "type": "course-of-action", "created": "2017-10-25T14:48:53.732Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1013", "external_id": "M1013" } ], "modified": "2018-10-17T00:14:20.652Z", "name": "Application Developer Guidance", "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "type": "course-of-action", "created": "2017-10-25T14:48:53.318Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1012", "external_id": "M1012" } ], "modified": "2020-06-24T15:08:18.395Z", "name": "Enterprise Policy", "description": "An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "type": "course-of-action", "created": "2019-10-18T12:53:03.508Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1011", "url": "https://attack.mitre.org/mitigations/M1011" } ], "modified": "2019-10-18T15:51:48.318Z", "name": "User Guidance", "description": "Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", "type": "course-of-action", "created": "2017-10-25T14:48:52.270Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1004", "external_id": "M1004" } ], "modified": "2018-10-17T00:14:20.652Z", "name": "System Partition Integrity", "description": "Ensure that Android devices being used include and enable the Verified Boot capability, which cryptographically ensures the integrity of the system partition.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8", "type": "course-of-action", "created": "2017-10-25T14:48:50.769Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1009", "external_id": "M1009" }, { "source_name": "TechCrunch-ATS", "description": "Kate Conger. (2016, June 14). Apple will require HTTPS connections for iOS apps by the end of 2016. Retrieved December 19, 2016.", "url": "https://techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-apps-by-the-end-of-2016/" }, { "source_name": "Android-NetworkSecurityConfig", "description": "Google. (n.d.). Network Security Configuration. Retrieved December 19, 2016.", "url": "https://developer.android.com/training/articles/security-config.html" } ], "modified": "2018-10-17T00:14:20.652Z", "name": "Encrypt Network Traffic", "description": "Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption.\n\niOS's App Transport Security feature can be used to help ensure that all application network traffic is appropriately protected. Apple intends to mandate use of App Transport Security (Citation: TechCrunch-ATS) for all apps in the Apple App Store unless appropriate justification is given.\n\nAndroid's Network Security Configuration feature similarly can be used by app developers to help ensure that all of their application network traffic is appropriately protected (Citation: Android-NetworkSecurityConfig).\n\nUse of Virtual Private Network (VPN) tunnels, e.g. using the IPsec protocol, can help mitigate some types of network attacks as well.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58", "type": "course-of-action", "created": "2017-10-25T14:48:49.554Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1003", "external_id": "M1003" } ], "modified": "2018-10-17T00:14:20.652Z", "name": "Lock Bootloader", "description": "On devices that provide the capability to unlock the bootloader (hence allowing any operating system code to be flashed onto the device), perform periodic checks to ensure that the bootloader is locked.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "type": "course-of-action", "created": "2019-10-18T12:51:36.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1001", "url": "https://attack.mitre.org/mitigations/M1001" } ], "modified": "2019-10-18T14:56:15.631Z", "name": "Security Updates", "description": "Install security updates in response to discovered vulnerabilities.\n\nPurchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.\n\nDecommission devices that will no longer receive security updates.\n\nLimit or block access to enterprise resources from devices that have not installed recent security updates.\n\nOn Android devices, access can be controlled based on each device's security patch level. On iOS devices, access can be controlled based on the iOS version.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "type": "course-of-action", "created": "2017-10-25T14:48:52.601Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1010", "external_id": "M1010" } ], "modified": "2018-10-17T00:14:20.652Z", "name": "Deploy Compromised Device Detection Method", "description": "A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124", "type": "course-of-action", "created": "2017-10-25T14:48:50.181Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1014", "external_id": "M1014" }, { "source_name": "CSRIC5-WG10-FinalReport", "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.", "url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" } ], "modified": "2018-10-17T00:14:20.652Z", "name": "Interconnection Filtering", "description": "In order to mitigate Signaling System 7 (SS7) exploitation, the Communications, Security, Reliability, and Interoperability Council (CSRIC) describes filtering interconnections between network operators to block inappropriate requests (Citation: CSRIC5-WG10-FinalReport).", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "course-of-action", "id": "course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9", "created": "2017-10-25T14:48:51.365Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1007", "url": "https://attack.mitre.org/mitigations/M1007" } ], "x_mitre_deprecated": true, "revoked": false, "description": "Warn device users not to accept requests to grant Device Administrator access to applications without good reason.\n\nAdditionally, application vetting should include a check on whether the application requests Device Administrator access. Applications that do request Device Administrator access should be carefully scrutinized and only allowed to be used if a valid reason exists.", "modified": "2022-04-06T14:47:19.714Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Caution with Device Administrator Access", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "type": "course-of-action", "created": "2019-10-18T12:50:35.335Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "M1002", "url": "https://attack.mitre.org/mitigations/M1002" } ], "modified": "2019-10-18T14:52:53.019Z", "name": "Attestation", "description": "Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "CarbonSteal" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "type": "malware", "created": "2020-11-10T16:50:38.917Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0529", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0529" }, { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2021-09-20T13:54:19.819Z", "name": "CarbonSteal", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) is one of a family of four surveillanceware tools that share a common C2 infrastructure. [CarbonSteal](https://attack.mitre.org/software/S0529) primarily deals with audio surveillance. (Citation: Lookout Uyghur Campaign)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_contributors": [ "Aviran Hazum, Check Point", "Sergey Persikov, Check Point" ], "x_mitre_aliases": [ "Cerberus" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "type": "malware", "created": "2020-06-26T15:32:24.569Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0480", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0480" }, { "source_name": "Threat Fabric Cerberus", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020." } ], "modified": "2020-09-11T15:43:49.079Z", "name": "Cerberus", "description": "[Cerberus](https://attack.mitre.org/software/S0480) is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of [Cerberus](https://attack.mitre.org/software/S0480) claim was used in private operations for two years.(Citation: Threat Fabric Cerberus)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "DroidJack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "malware", "id": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", "created": "2017-10-25T14:48:40.571Z", "x_mitre_version": "1.2", "external_references": [ { "source_name": "mitre-attack", "external_id": "S0320", "url": "https://attack.mitre.org/software/S0320" }, { "source_name": "DroidJack", "description": "(Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)" }, { "source_name": "Proofpoint-Droidjack", "url": "https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app", "description": "Proofpoint. (2016, July 7). DroidJack Uses Side-Load…It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017." }, { "source_name": "Zscaler-SuperMarioRun", "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat", "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 – DroidJack RAT. Retrieved January 20, 2017." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[DroidJack](https://attack.mitre.org/software/S0320) is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. (Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)", "modified": "2022-05-20T17:13:16.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "DroidJack", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "Rotexy" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "type": "malware", "created": "2019-09-23T13:36:07.816Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0411", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0411" }, { "source_name": "securelist rotexy 2018", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019." } ], "modified": "2020-09-11T15:53:38.216Z", "name": "Rotexy", "description": "[Rotexy](https://attack.mitre.org/software/S0411) is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.(Citation: securelist rotexy 2018)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "Stealth Mango", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as [Tangelo](https://attack.mitre.org/software/S0329) is believed to be from the same developer. (Citation: Lookout-StealthMango)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_aliases": [ "Stealth Mango" ], "type": "malware", "id": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0328", "external_id": "S0328" }, { "source_name": "Stealth Mango", "description": "(Citation: Lookout-StealthMango)" }, { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "modified": "2022-10-24T15:09:07.609Z", "name": "Allwinner", "description": "[Allwinner](https://attack.mitre.org/software/S0319) is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) for use on these devices reportedly contained a backdoor. (Citation: HackerNews-Allwinner)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "type": "malware", "id": "malware--08784a9d-09e9-4dce-a839-9612398214e8", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0319", "external_id": "S0319" }, { "source_name": "Allwinner", "description": "(Citation: HackerNews-Allwinner)" }, { "source_name": "HackerNews-Allwinner", "description": "Mohit Kumar. (2016, May 11). Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker. Retrieved September 18, 2018.", "url": "https://thehackernews.com/2016/05/android-kernal-exploit.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "labels": [ "malware" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "GoldenEagle" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "type": "malware", "created": "2020-12-24T22:04:27.667Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0551", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0551" }, { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2021-03-25T16:20:28.165Z", "name": "GoldenEagle", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) is a piece of Android malware that has been used in targeting of Uyghurs, Muslims, Tibetans, individuals in Turkey, and individuals in China. Samples have been found as early as 2012.(Citation: Lookout Uyghur Campaign)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-04-21T18:53:30.817Z", "name": "Bread", "description": "[Bread](https://attack.mitre.org/software/S0432) was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store’s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.(Citation: Google Bread)", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.2", "x_mitre_contributors": [ "Sergey Persikov, Check Point", "Jonathan Shimonovich, Check Point", "Aviran Hazum, Check Point" ], "x_mitre_aliases": [ "Bread", "Joker" ], "type": "malware", "id": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "created": "2020-05-04T14:04:55.823Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0432", "external_id": "S0432" }, { "source_name": "Joker", "description": "(Citation: Google Bread)" }, { "source_name": "Google Bread", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "labels": [ "malware" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "Judy", "description": "[Judy](https://attack.mitre.org/software/S0325) is auto-clicking adware that was distributed through multiple apps in the Google Play Store. (Citation: CheckPoint-Judy)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "type": "malware", "id": "malware--172444ab-97fc-4d94-b142-179452bfb760", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0325", "external_id": "S0325" }, { "source_name": "Judy", "description": "(Citation: CheckPoint-Judy)" }, { "source_name": "CheckPoint-Judy", "description": "CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018.", "url": "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "modified": "2022-10-24T15:09:07.609Z", "name": "OldBoot", "description": "[OldBoot](https://attack.mitre.org/software/S0285) is an Android malware family. (Citation: HackerNews-OldBoot)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "type": "malware", "id": "malware--2074b2ad-612e-4758-adce-7901c1b49bbc", "created": "2017-10-25T14:48:45.155Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0285", "external_id": "S0285" }, { "source_name": "OldBoot", "description": "(Citation: HackerNews-OldBoot)" }, { "source_name": "HackerNews-OldBoot", "description": "Sudhir K Bansal. (2014, January 28). First widely distributed Android bootkit Malware infects more than 350,000 Devices. Retrieved December 21, 2016.", "url": "http://thehackernews.com/2014/01/first-widely-distributed-android.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "modified": "2022-10-24T15:09:07.609Z", "name": "Gooligan", "description": "[Gooligan](https://attack.mitre.org/software/S0290) is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. [Gooligan](https://attack.mitre.org/software/S0290) has been described as part of the Ghost Push Android malware family. (Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_aliases": [ "Gooligan", "Ghost Push" ], "type": "malware", "id": "malware--20d56cd6-8dff-4871-9889-d32d254816de", "created": "2017-10-25T14:48:43.242Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0290", "external_id": "S0290" }, { "source_name": "Gooligan", "description": "(Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)" }, { "source_name": "Ghost Push", "description": "Gooligan has been described as being part of the Ghost Push Android malware family. (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)" }, { "source_name": "Gooligan Citation", "description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.", "url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/" }, { "source_name": "Ludwig-GhostPush", "description": "Adrian Ludwig. (2016, November 29). The fight against Ghost Push continues. Retrieved December 12, 2016.", "url": "https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi" }, { "source_name": "Lookout-Gooligan", "description": "Lookout. (2016, December 1). Ghost Push and Gooligan: One and the same. Retrieved December 12, 2016.", "url": "https://blog.lookout.com/blog/2016/12/01/ghost-push-gooligan/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "modified": "2022-10-24T15:09:07.609Z", "name": "SpyNote RAT", "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) (Remote Access Trojan) is a family of malicious Android apps. The [SpyNote RAT](https://attack.mitre.org/software/S0305) builder tool can be used to develop malicious apps with the malware's functionality. (Citation: Zscaler-SpyNote)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_aliases": [ "SpyNote RAT" ], "type": "malware", "id": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", "created": "2017-10-25T14:48:45.794Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0305", "external_id": "S0305" }, { "source_name": "SpyNote RAT", "description": "(Citation: Zscaler-SpyNote)" }, { "source_name": "Zscaler-SpyNote", "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_contributors": [ "Ohad Mana, Check Point", "Aviran Hazum, Check Point", "Sergey Persikov, Check Point" ], "x_mitre_aliases": [ "TrickMo" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "type": "malware", "created": "2020-04-24T17:46:31.111Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0427", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0427" }, { "source_name": "SecurityIntelligence TrickMo", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020." } ], "modified": "2020-09-11T15:57:37.561Z", "name": "TrickMo", "description": "[TrickMo](https://attack.mitre.org/software/S0427) a 2FA bypass mobile banking trojan, most likely being distributed by [TrickBot](https://attack.mitre.org/software/S0266). [TrickMo](https://attack.mitre.org/software/S0427) has been primarily targeting users located in Germany.(Citation: SecurityIntelligence TrickMo)\n\n[TrickMo](https://attack.mitre.org/software/S0427) is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.(Citation: SecurityIntelligence TrickMo) ", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "INSOMNIA" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "type": "malware", "created": "2020-06-02T14:32:31.461Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0463", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0463" }, { "source_name": "Volexity Insomnia", "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/", "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020." } ], "modified": "2020-06-24T18:24:35.433Z", "name": "INSOMNIA", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) is spyware that has been used by the group Evil Eye.(Citation: Volexity Insomnia)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "Dvmap" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--22b596a6-d288-4409-8520-5f2846f85514", "type": "malware", "created": "2019-12-10T16:07:40.664Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0420", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0420" }, { "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/", "source_name": "SecureList DVMap June 2017" } ], "modified": "2020-01-22T22:17:23.015Z", "name": "Dvmap", "description": "[Dvmap](https://attack.mitre.org/software/S0420) is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.(Citation: SecureList DVMap June 2017)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "Zen" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "type": "malware", "created": "2020-07-27T14:14:56.729Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0494", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0494" }, { "source_name": "Google Security Zen", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020." } ], "modified": "2020-08-11T14:23:15.002Z", "name": "Zen", "description": "[Zen](https://attack.mitre.org/software/S0494) is Android malware that was first seen in 2013.(Citation: Google Security Zen)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "NotCompatible", "description": "[NotCompatible](https://attack.mitre.org/software/S0299) is an Android malware family that was used between at least 2014 and 2016. It has multiple variants that have become more sophisticated over time. (Citation: Lookout-NotCompatible)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "type": "malware", "id": "malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe", "created": "2017-10-25T14:48:36.707Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0299", "external_id": "S0299" }, { "source_name": "NotCompatible", "description": "(Citation: Lookout-NotCompatible)" }, { "source_name": "Lookout-NotCompatible", "description": "Tim Strazzere. (2014, November 19). The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/11/19/notcompatible/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "modified": "2022-10-24T15:09:07.609Z", "name": "XLoader for Android", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.(Citation: TrendMicro-XLoader-FakeSpy)(Citation: TrendMicro-XLoader) It is tracked separately from the [XLoader for iOS](https://attack.mitre.org/software/S0490).", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_aliases": [ "XLoader for Android" ], "type": "malware", "id": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0318", "external_id": "S0318" }, { "source_name": "XLoader for Android", "description": "(Citation: TrendMicro-XLoader)" }, { "source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/" }, { "source_name": "TrendMicro-XLoader", "description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "modified": "2022-10-24T15:09:07.609Z", "name": "Trojan-SMS.AndroidOS.FakeInst.a", "description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) is Android malware. (Citation: Kaspersky-MobileMalware)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "type": "malware", "id": "malware--28e39395-91e7-4f02-b694-5e079c964da9", "created": "2017-10-25T14:48:46.107Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0306", "external_id": "S0306" }, { "source_name": "Trojan-SMS.AndroidOS.FakeInst.a", "description": "(Citation: Kaspersky-MobileMalware)" }, { "source_name": "Kaspersky-MobileMalware", "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", "url": "https://securelist.com/mobile-malware-evolution-2013/58335/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "labels": [ "malware" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "XLoader for iOS" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", "type": "malware", "created": "2020-07-20T13:58:53.422Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0490", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0490" }, { "source_name": "TrendMicro-XLoader-FakeSpy", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020." } ], "modified": "2021-12-07T14:46:08.852Z", "name": "XLoader for iOS", "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) is a malicious iOS application that is capable of gathering system information.(Citation: TrendMicro-XLoader-FakeSpy) It is tracked separately from the [XLoader for Android](https://attack.mitre.org/software/S0318).", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-04-13T22:33:55.061Z", "name": "AbstractEmu", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. [AbstractEmu](https://attack.mitre.org/software/S1061) was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.(Citation: lookout_abstractemu_1021)", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_aliases": [ "AbstractEmu" ], "type": "malware", "id": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "created": "2023-02-06T18:48:41.442Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1061", "external_id": "S1061" }, { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "labels": [ "malware" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "Exodus", "Exodus One", "Exodus Two" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "type": "malware", "created": "2019-09-03T19:45:47.826Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0405", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0405" }, { "source_name": "Exodus One", "description": "(Citation: SWB Exodus March 2019)" }, { "source_name": "Exodus Two", "description": "(Citation: SWB Exodus March 2019)" }, { "source_name": "SWB Exodus March 2019", "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." } ], "modified": "2019-10-14T17:15:52.191Z", "name": "Exodus", "description": "[Exodus](https://attack.mitre.org/software/S0405) is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).(Citation: SWB Exodus March 2019)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "Dendroid", "description": "[Dendroid](https://attack.mitre.org/software/S0301) is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.(Citation: Lookout-Dendroid)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_aliases": [ "Dendroid" ], "type": "malware", "id": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "created": "2017-10-25T14:48:37.438Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0301", "external_id": "S0301" }, { "source_name": "Dendroid", "description": "(Citation: Lookout-Dendroid)" }, { "source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "modified": "2022-10-24T15:09:07.609Z", "name": "WireLurker", "description": "[WireLurker](https://attack.mitre.org/software/S0312) is a family of macOS malware that targets iOS devices connected over USB. (Citation: PaloAlto-WireLurker)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "type": "malware", "id": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", "created": "2017-10-25T14:48:37.020Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0312", "external_id": "S0312" }, { "source_name": "WireLurker", "description": "Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.", "url": "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" }, { "source_name": "PaloAlto-WireLurker", "description": "Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.", "url": "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "Desert Scorpion" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "type": "malware", "created": "2020-09-11T14:54:16.188Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0505", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0505" }, { "source_name": "Lookout Desert Scorpion", "url": "https://blog.lookout.com/desert-scorpion-google-play", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." } ], "modified": "2021-04-19T17:11:50.159Z", "name": "Desert Scorpion", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. [Desert Scorpion](https://attack.mitre.org/software/S0505) is suspected to have been operated by the threat actor APT-C-23.(Citation: Lookout Desert Scorpion) ", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "Pegasus for iOS", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims. (Citation: Lookout-Pegasus) (Citation: PegasusCitizenLab) The Android version is tracked separately under [Pegasus for Android](https://attack.mitre.org/software/S0316).", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_aliases": [ "Pegasus for iOS" ], "type": "malware", "id": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "created": "2017-10-25T14:48:44.238Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0289", "external_id": "S0289" }, { "source_name": "Pegasus for iOS", "description": "(Citation: Lookout-Pegasus) (Citation: PegasusCitizenLab)" }, { "source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" }, { "source_name": "PegasusCitizenLab", "description": "Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.", "url": "https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "modified": "2022-10-24T15:09:07.609Z", "name": "Tangelo", "description": "[Tangelo](https://attack.mitre.org/software/S0329) is iOS malware that is believed to be from the same developers as the [Stealth Mango](https://attack.mitre.org/software/S0328) Android malware. It is not a mobile application, but rather a Debian package that can only run on jailbroken iOS devices. (Citation: Lookout-StealthMango)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_aliases": [ "Tangelo" ], "type": "malware", "id": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0329", "external_id": "S0329" }, { "source_name": "Tangelo", "description": "(Citation: Lookout-StealthMango)" }, { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "modified": "2022-10-24T15:09:07.609Z", "name": "RCSAndroid", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) is Android malware. (Citation: TrendMicro-RCSAndroid)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_aliases": [ "RCSAndroid" ], "type": "malware", "id": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "created": "2017-10-25T14:48:38.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0295", "external_id": "S0295" }, { "source_name": "RCSAndroid", "description": "(Citation: TrendMicro-RCSAndroid)" }, { "source_name": "TrendMicro-RCSAndroid", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "Corona Updates", "Wabi Music", "Concipit1248" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "type": "malware", "created": "2020-04-24T15:06:32.870Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0425", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0425" }, { "source_name": "Wabi Music", "description": "(Citation: TrendMicro Coronavirus Updates)" }, { "source_name": "Concipit1248", "description": "(Citation: TrendMicro Coronavirus Updates)" }, { "source_name": "TrendMicro Coronavirus Updates", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." } ], "modified": "2020-09-11T15:45:38.235Z", "name": "Corona Updates", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.(Citation: TrendMicro Coronavirus Updates)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "Skygofree", "description": "[Skygofree](https://attack.mitre.org/software/S0327) is Android spyware that is believed to have been developed in 2014 and used through at least 2017. (Citation: Kaspersky-Skygofree)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_aliases": [ "Skygofree" ], "type": "malware", "id": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0327", "external_id": "S0327" }, { "source_name": "Skygofree", "description": "(Citation: Kaspersky-Skygofree)" }, { "source_name": "Kaspersky-Skygofree", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "modified": "2022-10-24T15:09:07.609Z", "name": "KeyRaider", "description": "[KeyRaider](https://attack.mitre.org/software/S0288) is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality. (Citation: Xiao-KeyRaider)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "type": "malware", "id": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", "created": "2017-10-25T14:48:43.815Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0288", "external_id": "S0288" }, { "source_name": "KeyRaider", "description": "(Citation: Xiao-KeyRaider)" }, { "source_name": "Xiao-KeyRaider", "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "modified": "2022-10-24T15:09:07.609Z", "name": "ZergHelper", "description": "[ZergHelper](https://attack.mitre.org/software/S0287) is iOS riskware that was unique due to its apparent evasion of Apple's App Store review process. No malicious functionality was identified in the app, but it presents security risks. (Citation: Xiao-ZergHelper)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "type": "malware", "id": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0", "created": "2017-10-25T14:48:44.853Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0287", "external_id": "S0287" }, { "source_name": "ZergHelper", "description": "(Citation: Xiao-ZergHelper)" }, { "source_name": "Xiao-ZergHelper", "description": "Claud Xiao. (2016, February 21). Pirated iOS App Store’s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "DoubleAgent" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "type": "malware", "created": "2020-12-24T21:50:02.027Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0550", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0550" }, { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2021-04-19T17:05:42.253Z", "name": "DoubleAgent", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) is a family of RAT malware dating back to 2013, known to target groups with contentious relationships with the Chinese government.(Citation: Lookout Uyghur Campaign)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "Twitoor", "description": "[Twitoor](https://attack.mitre.org/software/S0302) is a dropper application capable of receiving commands from social media.(Citation: ESET-Twitoor)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_aliases": [ "Twitoor" ], "type": "malware", "id": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", "created": "2017-10-25T14:48:42.313Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0302", "external_id": "S0302" }, { "source_name": "Twitoor", "description": "(Citation: ESET-Twitoor)" }, { "source_name": "ESET-Twitoor", "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.", "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "modified": "2023-04-13T22:32:16.509Z", "name": "S.O.V.A.", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. [S.O.V.A.](https://attack.mitre.org/software/S1062), which is Russian for \"owl\", contains features not commonly found in Android malware, such as session cookie theft.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_aliases": [ "S.O.V.A." ], "type": "malware", "id": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "created": "2023-02-06T19:34:43.026Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1062", "external_id": "S1062" }, { "source_name": "cleafy_sova_1122", "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly" }, { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "labels": [ "malware" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "ANDROIDOS_ANSERVER.A", "description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) is Android malware that is unique because it uses encrypted content within a blog site for command and control. (Citation: TrendMicro-Anserver)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_aliases": [ "ANDROIDOS_ANSERVER.A" ], "type": "malware", "id": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8", "created": "2017-10-25T14:48:47.965Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0310", "external_id": "S0310" }, { "source_name": "ANDROIDOS_ANSERVER.A", "description": "(Citation: TrendMicro-Anserver)" }, { "source_name": "TrendMicro-Anserver", "description": "Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "modified": "2022-10-24T15:09:07.609Z", "name": "DualToy", "description": "[DualToy](https://attack.mitre.org/software/S0315) is Windows malware that installs malicious applications onto Android and iOS devices connected over USB. (Citation: PaloAlto-DualToy)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "type": "malware", "id": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878", "created": "2017-10-25T14:48:41.721Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0315", "external_id": "S0315" }, { "source_name": "DualToy", "description": "(Citation: PaloAlto-DualToy)" }, { "source_name": "PaloAlto-DualToy", "description": "Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.", "url": "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "Mandrake", "oxide", "briar", "ricinus", "darkmatter" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "type": "malware", "created": "2020-07-15T20:20:58.846Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0485", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0485" }, { "source_name": "oxide", "description": "(Citation: Bitdefender Mandrake)" }, { "source_name": "briar", "description": "(Citation: Bitdefender Mandrake)" }, { "source_name": "ricinus", "description": "(Citation: Bitdefender Mandrake)" }, { "source_name": "darkmatter", "description": "(Citation: Bitdefender Mandrake)" }, { "source_name": "Bitdefender Mandrake", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." } ], "modified": "2020-09-11T15:52:12.097Z", "name": "Mandrake", "description": "[Mandrake](https://attack.mitre.org/software/S0485) is a sophisticated Android espionage platform that has been active in the wild since at least 2016. [Mandrake](https://attack.mitre.org/software/S0485) is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.\n\n[Mandrake](https://attack.mitre.org/software/S0485) has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.(Citation: Bitdefender Mandrake)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "X-Agent for Android", "description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. (Citation: CrowdStrike-Android) Is it tracked separately from the [CHOPSTICK](https://attack.mitre.org/software/S0023).", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "type": "malware", "id": "malware--56660521-6db4-4e5a-a927-464f22954b7c", "created": "2017-10-25T14:48:42.034Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0314", "external_id": "S0314" }, { "source_name": "X-Agent for Android", "description": "(Citation: CrowdStrike-Android)" }, { "source_name": "CrowdStrike-Android", "description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.", "url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_contributors": [ "Lukáš Štefanko, ESET" ], "x_mitre_aliases": [ "DEFENSOR ID" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", "type": "malware", "created": "2020-06-26T15:12:39.648Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0479", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0479" }, { "source_name": "ESET DEFENSOR ID", "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/", "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020." } ], "modified": "2020-06-26T20:16:31.850Z", "name": "DEFENSOR ID", "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) is a banking trojan capable of clearing a victim’s bank account or cryptocurrency wallet and taking over email or social media accounts. [DEFENSOR ID](https://attack.mitre.org/software/S0479) performs the majority of its malicious functionality by abusing Android’s accessibility service.(Citation: ESET DEFENSOR ID) ", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "MazarBOT", "description": "[MazarBOT](https://attack.mitre.org/software/S0303) is Android malware that was distributed via SMS in Denmark in 2016. (Citation: Tripwire-MazarBOT)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "type": "malware", "id": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", "created": "2017-10-25T14:48:40.875Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0303", "external_id": "S0303" }, { "source_name": "MazarBOT", "description": "(Citation: Tripwire-MazarBOT)" }, { "source_name": "Tripwire-MazarBOT", "description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.", "url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_contributors": [ "Aviran Hazum, Check Point", "Sergey Persikov, Check Point" ], "x_mitre_aliases": [ "Ginp" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "type": "malware", "created": "2020-04-08T15:51:24.862Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0423", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0423" }, { "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html", "source_name": "ThreatFabric Ginp" } ], "modified": "2020-09-11T15:50:18.707Z", "name": "Ginp", "description": "[Ginp](https://attack.mitre.org/software/S0423) is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from [Anubis](https://attack.mitre.org/software/S0422).(Citation: ThreatFabric Ginp)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "HummingWhale", "description": "[HummingWhale](https://attack.mitre.org/software/S0321) is an Android malware family that performs ad fraud. (Citation: ArsTechnica-HummingWhale)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "type": "malware", "id": "malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f", "created": "2017-10-25T14:48:40.259Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0321", "external_id": "S0321" }, { "source_name": "HummingWhale", "description": "(Citation: ArsTechnica-HummingWhale)" }, { "source_name": "ArsTechnica-HummingWhale", "description": "Dan Goodin. (2017, January 23). Virulent Android malware returns, gets >2 million downloads on Google Play. Retrieved January 24, 2017.", "url": "http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "eSurv" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "type": "malware", "created": "2020-09-14T14:13:45.032Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0507", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0507" }, { "source_name": "Lookout eSurv", "url": "https://blog.lookout.com/esurv-research", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020." } ], "modified": "2020-09-14T15:39:17.698Z", "name": "eSurv", "description": "[eSurv](https://attack.mitre.org/software/S0507) is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.(Citation: Lookout eSurv)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-01T22:00:09.640Z", "name": "TangleBot", "description": "[TangleBot](https://attack.mitre.org/software/S1069) is SMS malware that was initially observed in September 2021, primarily targeting mobile users in the United States and Canada. [TangleBot](https://attack.mitre.org/software/S1069) has used SMS text message lures about COVID-19 regulations and vaccines to trick mobile users into downloading the malware, similar to [FluBot](https://attack.mitre.org/software/S1067) Android malware campaigns.(Citation: cloudmark_tanglebot_0921)", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_aliases": [ "TangleBot" ], "type": "malware", "id": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "created": "2023-02-28T21:39:52.744Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1069", "external_id": "S1069" }, { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "labels": [ "malware" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_contributors": [ "Jörg Abraham, EclecticIQ" ], "x_mitre_aliases": [ "Monokle" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "type": "malware", "created": "2019-09-04T14:28:14.181Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://attack.mitre.org/software/S0407", "source_name": "mitre-attack", "external_id": "S0407" }, { "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", "source_name": "Lookout-Monokle" } ], "modified": "2021-11-01T18:30:41.998Z", "name": "Monokle", "description": "[Monokle](https://attack.mitre.org/software/S0407) is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.(Citation: Lookout-Monokle)", "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "Red Alert 2.0" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "type": "malware", "created": "2020-12-14T14:52:02.949Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0539", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0539" }, { "source_name": "Sophos Red Alert 2.0", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020." } ], "modified": "2020-12-16T20:52:20.822Z", "name": "Red Alert 2.0", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) is a banking trojan that masquerades as a VPN client.(Citation: Sophos Red Alert 2.0) ", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "ViceLeaker", "Triout" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "type": "malware", "created": "2019-11-21T16:42:48.203Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0418", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0418" }, { "source_name": "ViceLeaker", "description": "(Citation: SecureList - ViceLeaker 2019)" }, { "source_name": "Triout", "description": "(Citation: SecureList - ViceLeaker 2019)" }, { "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/", "source_name": "SecureList - ViceLeaker 2019" }, { "source_name": "Bitdefender - Triout 2018", "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/", "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020." } ], "modified": "2020-03-26T19:00:42.233Z", "name": "ViceLeaker", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_contributors": [ "Ofir Almkias, Cybereason" ], "x_mitre_aliases": [ "FakeSpy" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "type": "malware", "created": "2020-09-15T15:18:11.971Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0509", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0509" }, { "source_name": "Cybereason FakeSpy", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020." } ], "modified": "2020-10-06T20:09:57.659Z", "name": "FakeSpy", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.(Citation: Cybereason FakeSpy)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "SpyDealer", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) is Android malware that exfiltrates sensitive data from Android devices. (Citation: PaloAlto-SpyDealer)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_aliases": [ "SpyDealer" ], "type": "malware", "id": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0324", "external_id": "S0324" }, { "source_name": "SpyDealer", "description": "(Citation: PaloAlto-SpyDealer)" }, { "source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "labels": [ "malware" ], "x_mitre_platforms": [ "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "Concipit1248", "Corona Updates" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853", "type": "malware", "created": "2020-04-24T15:12:10.817Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0426", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0426" }, { "source_name": "Corona Updates", "description": "(Citation: TrendMicro Coronavirus Updates)" }, { "source_name": "TrendMicro Coronavirus Updates", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." } ], "modified": "2020-04-30T18:30:05.787Z", "name": "Concipit1248", "description": "[Concipit1248](https://attack.mitre.org/software/S0426) is iOS spyware that was discovered using the same name as the developer of the Android spyware [Corona Updates](https://attack.mitre.org/software/S0425). Further investigation revealed that the two pieces of software contained the same C2 URL and similar functionality.(Citation: TrendMicro Coronavirus Updates)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "RuMMS", "description": "[RuMMS](https://attack.mitre.org/software/S0313) is an Android malware family. (Citation: FireEye-RuMMS)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "type": "malware", "id": "malware--936be60d-90eb-4c36-9247-4b31128432c4", "created": "2017-10-25T14:48:48.917Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0313", "external_id": "S0313" }, { "source_name": "RuMMS", "description": "(Citation: FireEye-RuMMS)" }, { "source_name": "FireEye-RuMMS", "description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "modified": "2022-10-24T15:09:07.609Z", "name": "Pegasus for Android", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) is the Android version of malware that has reportedly been linked to the NSO Group. (Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor) The iOS version is tracked separately under [Pegasus for iOS](https://attack.mitre.org/software/S0289).", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_aliases": [ "Pegasus for Android", "Chrysaor" ], "type": "malware", "id": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "created": "2017-10-25T14:48:41.202Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0316", "external_id": "S0316" }, { "source_name": "Pegasus for Android", "description": "(Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor)" }, { "source_name": "Chrysaor", "description": "(Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor)" }, { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" }, { "source_name": "Google-Chrysaor", "description": "Rich Cannings et al.. (2017, April 3). An investigation of Chrysaor Malware on Android. Retrieved April 16, 2017.", "url": "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "FrozenCell" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "type": "malware", "created": "2021-02-17T20:43:52.033Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0577", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0577" }, { "source_name": "Lookout FrozenCell", "url": "https://blog.lookout.com/frozencell-mobile-threat", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020." } ], "modified": "2021-04-19T14:07:24.519Z", "name": "FrozenCell", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and [Micropsia](https://attack.mitre.org/software/S0339).(Citation: Lookout FrozenCell)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "AndroidOS/MalLocker.B" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce", "type": "malware", "created": "2020-10-29T18:41:49.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0524", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0524" }, { "source_name": "Microsoft MalLockerB", "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/", "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020." } ], "modified": "2020-10-29T18:41:49.272Z", "name": "AndroidOS/MalLocker.B", "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) is a variant of a ransomware family targeting Android devices. It prevents the user from interacting with the UI by displaying a screen containing a ransom note over all other windows. (Citation: Microsoft MalLockerB)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-02-28T21:05:57.018Z", "name": "SharkBot", "description": "[SharkBot](https://attack.mitre.org/software/S1055) is a banking malware, first discovered in October 2021, that tries to initiate money transfers directly from compromised devices by abusing Accessibility Services.(Citation: nccgroup_sharkbot_0322)", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_aliases": [ "SharkBot" ], "type": "malware", "id": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "created": "2023-01-18T19:44:52.711Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1055", "external_id": "S1055" }, { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "labels": [ "malware" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "RedDrop", "description": "[RedDrop](https://attack.mitre.org/software/S0326) is an Android malware family that exfiltrates sensitive data from devices. (Citation: Wandera-RedDrop)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_aliases": [ "RedDrop" ], "type": "malware", "id": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0326", "external_id": "S0326" }, { "source_name": "RedDrop", "description": "(Citation: Wandera-RedDrop)" }, { "source_name": "Wandera-RedDrop", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.", "url": "https://www.wandera.com/reddrop-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "CHEMISTGAMES" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "type": "malware", "created": "2020-12-31T18:25:04.779Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0555", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0555" }, { "source_name": "CYBERWARCON CHEMISTGAMES", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020." } ], "modified": "2021-03-25T16:42:05.526Z", "name": "CHEMISTGAMES", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) is a modular backdoor that has been deployed by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: CYBERWARCON CHEMISTGAMES)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-04-20T18:19:15.826Z", "name": "YiSpecter", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) is a family of iOS and Android malware, first detected in November 2014, targeting users in mainland China and Taiwan. [YiSpecter](https://attack.mitre.org/software/S0311) abuses private APIs in iOS to infect both jailbroken and non-jailbroken devices.(Citation: paloalto_yispecter_1015)", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "2.0", "x_mitre_aliases": [ "YiSpecter" ], "type": "malware", "id": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "created": "2017-10-25T14:48:48.301Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0311", "external_id": "S0311" }, { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "labels": [ "malware" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "Trojan-SMS.AndroidOS.Agent.ao", "description": "[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) is Android malware. (Citation: Kaspersky-MobileMalware)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "type": "malware", "id": "malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17", "created": "2017-10-25T14:48:46.411Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0307", "external_id": "S0307" }, { "source_name": "Trojan-SMS.AndroidOS.Agent.ao", "description": "(Citation: Kaspersky-MobileMalware)" }, { "source_name": "Kaspersky-MobileMalware", "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", "url": "https://securelist.com/mobile-malware-evolution-2013/58335/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_contributors": [ "Aviran Hazum, Check Point", "Sergey Persikov, Check Point" ], "x_mitre_aliases": [ "Anubis" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "type": "malware", "created": "2020-04-08T15:41:19.114Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0422", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0422" }, { "source_name": "Cofense Anubis", "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." } ], "modified": "2021-09-20T13:50:01.923Z", "name": "Anubis", "description": "[Anubis](https://attack.mitre.org/software/S0422) is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.(Citation: Cofense Anubis)", "x_mitre_version": "1.3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "AndroRAT", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) is malware that allows a third party to control the device and collect information. (Citation: Lookout-EnterpriseApps)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "type": "malware", "id": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "created": "2017-10-25T14:48:47.363Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0292", "external_id": "S0292" }, { "source_name": "AndroRAT", "description": "(Citation: Lookout-EnterpriseApps)" }, { "source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Windows", "Android" ], "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ], "x_mitre_aliases": [ "FinFisher", "FinSpy" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "type": "malware", "created": "2018-01-16T16:13:52.465Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0182", "url": "https://attack.mitre.org/software/S0182", "source_name": "mitre-attack" }, { "source_name": "FinFisher", "description": "(Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017)" }, { "source_name": "FinSpy", "description": "(Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017)" }, { "url": "http://www.finfisher.com/FinFisher/index.html", "description": "FinFisher. (n.d.). Retrieved December 20, 2017.", "source_name": "FinFisher Citation" }, { "source_name": "Microsoft SIR Vol 21", "description": "Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.", "url": "http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf" }, { "url": "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html", "description": "Jiang, G., et al. (2017, September 12). FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY. Retrieved February 15, 2018.", "source_name": "FireEye FinSpy Sept 2017" }, { "source_name": "Securelist BlackOasis Oct 2017", "description": "Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.", "url": "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/" }, { "url": "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/", "description": "Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.", "source_name": "Microsoft FinFisher March 2018" } ], "modified": "2022-03-02T15:47:13.329Z", "name": "FinFisher", "description": "[FinFisher](https://attack.mitre.org/software/S0182) is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including [Wingbird](https://attack.mitre.org/software/S0176). (Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017) (Citation: Microsoft FinFisher March 2018)", "x_mitre_version": "1.4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_contributors": [ "Aviran Hazum, Check Point", "Sergey Persikov, Check Point" ], "x_mitre_aliases": [ "Agent Smith" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--a6228601-03f6-4949-ae22-c1087627a637", "type": "malware", "created": "2020-05-07T15:18:34.417Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0440", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0440" }, { "source_name": "CheckPoint Agent Smith", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020." } ], "modified": "2020-06-17T12:49:21.423Z", "name": "Agent Smith", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 [Agent Smith](https://attack.mitre.org/software/S0440) had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.(Citation: CheckPoint Agent Smith)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "Asacub", "Trojan-SMS.AndroidOS.Smaps" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "type": "malware", "created": "2020-12-14T15:02:35.007Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0540", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0540" }, { "source_name": "Trojan-SMS.AndroidOS.Smaps", "description": "(Citation: Securelist Asacub)" }, { "source_name": "Securelist Asacub", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/", "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020." } ], "modified": "2020-12-16T20:21:43.239Z", "name": "Asacub", "description": "[Asacub](https://attack.mitre.org/software/S0540) is a banking trojan that attempts to steal money from victims’ bank accounts. It attempts to do this by initiating a wire transfer via SMS message from compromised devices.(Citation: Securelist Asacub)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "GPlayed" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "type": "malware", "created": "2020-11-24T17:55:12.561Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0536", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0536" }, { "source_name": "Talos GPlayed", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020." } ], "modified": "2020-11-24T17:55:12.561Z", "name": "GPlayed", "description": "[GPlayed](https://attack.mitre.org/software/S0536) is an Android trojan with a broad range of capabilities.(Citation: Talos GPlayed) ", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "EventBot" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "type": "malware", "created": "2020-06-26T14:55:12.847Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0478", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0478" }, { "source_name": "Cybereason EventBot", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020." } ], "modified": "2020-06-26T21:01:58.595Z", "name": "EventBot", "description": "[EventBot](https://attack.mitre.org/software/S0478) is an Android banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications.(Citation: Cybereason EventBot) [EventBot](https://attack.mitre.org/software/S0478) was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.(Citation: Cybereason EventBot)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "HenBox" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "type": "malware", "created": "2020-12-17T20:15:22.110Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0544", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0544" }, { "source_name": "Palo Alto HenBox", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." } ], "modified": "2021-04-12T03:02:06.792Z", "name": "HenBox", "description": "[HenBox](https://attack.mitre.org/software/S0544) is Android malware that attempts to only execute on Xiaomi devices running the MIUI operating system. [HenBox](https://attack.mitre.org/software/S0544) has primarily been used to target Uyghurs, a minority Turkic ethnic group.(Citation: Palo Alto HenBox)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "Riltok" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "type": "malware", "created": "2019-08-07T15:57:12.877Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0403", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0403" }, { "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", "url": "https://securelist.com/mobile-banker-riltok/91374/", "source_name": "Kaspersky Riltok June 2019" } ], "modified": "2019-09-18T13:44:13.080Z", "name": "Riltok", "description": "[Riltok](https://attack.mitre.org/software/S0403) is banking malware that uses phishing popups to collect user credentials.(Citation: Kaspersky Riltok June 2019)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "GolfSpy" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "type": "malware", "created": "2020-01-27T17:05:57.712Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0421", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0421" }, { "source_name": "Trend Micro Bouncing Golf 2019", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020." } ], "modified": "2020-03-26T20:50:07.023Z", "name": "GolfSpy", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) is Android spyware deployed by the group [Bouncing Golf](https://attack.mitre.org/groups/G0097).(Citation: Trend Micro Bouncing Golf 2019)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "Pallas" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "type": "malware", "created": "2019-07-10T15:35:43.217Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0399", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0399" }, { "source_name": "Pallas", "description": "(Citation: Lookout Dark Caracal Jan 2018)" }, { "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "source_name": "Lookout Dark Caracal Jan 2018" } ], "modified": "2019-09-18T20:17:17.744Z", "name": "Pallas", "description": "[Pallas](https://attack.mitre.org/software/S0399) is mobile surveillanceware that was custom-developed by [Dark Caracal](https://attack.mitre.org/groups/G0070).(Citation: Lookout Dark Caracal Jan 2018)", "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "Circles" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24", "type": "malware", "created": "2021-04-26T15:33:55.798Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0602", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0602" }, { "source_name": "CitizenLab Circles", "url": "https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/", "description": "Bill Marczak, John Scott-Railton, Siddharth Prakash Rao, Siena Anstis, and Ron Deibert. (2020, December 1). Running in Circles Uncovering the Clients of Cyberespionage Firm Circles. Retrieved December 23, 2020." } ], "modified": "2021-04-26T15:33:55.798Z", "name": "Circles", "description": "[Circles](https://attack.mitre.org/software/S0602) reportedly takes advantage of Signaling System 7 (SS7) weaknesses, the protocol suite used to route phone calls, to both track the location of mobile devices and intercept voice calls and SMS messages. It can be connected to a telecommunications company’s infrastructure or purchased as a cloud service. Circles has reportedly been linked to the NSO Group.(Citation: CitizenLab Circles)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "Tiktok Pro" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "type": "malware", "created": "2021-01-05T20:16:19.968Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0558", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0558" }, { "source_name": "Zscaler TikTok Spyware", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." } ], "modified": "2021-04-19T16:30:16.930Z", "name": "Tiktok Pro", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) is spyware that has been masquerading as the TikTok application.(Citation: Zscaler TikTok Spyware)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "PJApps", "description": "[PJApps](https://attack.mitre.org/software/S0291) is an Android malware family. (Citation: Lookout-EnterpriseApps)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "type": "malware", "id": "malware--c709da93-20c3-4d17-ab68-48cba76b2137", "created": "2017-10-25T14:48:43.527Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0291", "external_id": "S0291" }, { "source_name": "PJApps", "description": "(Citation: Lookout-EnterpriseApps)" }, { "source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "modified": "2022-10-24T15:09:07.609Z", "name": "ShiftyBug", "description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is an auto-rooting adware family of malware for Android. The family is very similar to the other Android families known as Shedun, Shuanet, Kemoge, though it is not believed all the families were created by the same group. (Citation: Lookout-Adware)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "type": "malware", "id": "malware--c80a6bef-b3ce-44d0-b113-946e93124898", "created": "2017-10-25T14:48:38.690Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0294", "external_id": "S0294" }, { "source_name": "ShiftyBug", "description": "(Citation: Lookout-Adware)" }, { "source_name": "Lookout-Adware", "description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "modified": "2023-04-21T18:52:08.966Z", "name": "HummingBad", "description": "[HummingBad](https://attack.mitre.org/software/S0322) is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android. (Citation: ArsTechnica-HummingBad)", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.1", "x_mitre_aliases": [ "HummingBad" ], "type": "malware", "id": "malware--c8770c81-c29f-40d2-a140-38544206b2b4", "created": "2017-10-25T14:48:42.948Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0322", "external_id": "S0322" }, { "source_name": "ArsTechnica-HummingBad", "description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.", "url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "labels": [ "malware" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "Exobot", "Marcher" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "type": "malware", "created": "2020-10-29T13:32:20.972Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0522", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0522" }, { "source_name": "Proofpoint-Marcher", "description": "Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018.", "url": "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks" }, { "source_name": "Threat Fabric Exobot", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020." } ], "modified": "2020-12-07T14:28:31.876Z", "name": "Exobot", "description": "[Exobot](https://attack.mitre.org/software/S0522) is Android banking malware, primarily targeting financial institutions in Germany, Austria, and France.(Citation: Threat Fabric Exobot)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "OBAD", "description": "OBAD is an Android malware family. (Citation: TrendMicro-Obad)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "type": "malware", "id": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde", "created": "2017-10-25T14:48:44.540Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0286", "external_id": "S0286" }, { "source_name": "OBAD", "description": "(Citation: TrendMicro-Obad)" }, { "source_name": "TrendMicro-Obad", "description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "modified": "2022-10-24T15:09:07.609Z", "name": "Android/Chuli.A", "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) is Android malware that was delivered to activist groups via a spearphishing email with an attachment. (Citation: Kaspersky-WUC)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_aliases": [ "Android/Chuli.A" ], "type": "malware", "id": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "created": "2017-10-25T14:48:45.482Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0304", "external_id": "S0304" }, { "source_name": "Android/Chuli.A", "description": "(Citation: Kaspersky-WUC)" }, { "source_name": "Kaspersky-WUC", "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "modified": "2022-10-24T15:09:07.609Z", "name": "Charger", "description": "[Charger](https://attack.mitre.org/software/S0323) is Android malware that steals steals contacts and SMS messages from the user's device. It can also lock the device and demand ransom payment if it receives admin permissions. (Citation: CheckPoint-Charger)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_aliases": [ "Charger" ], "type": "malware", "id": "malware--d1c600f8-0fb6-4367-921b-85b71947d950", "created": "2017-10-25T14:48:39.631Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0323", "external_id": "S0323" }, { "source_name": "Charger", "description": "(Citation: CheckPoint-Charger)" }, { "source_name": "CheckPoint-Charger", "description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.", "url": "http://blog.checkpoint.com/2017/01/24/charger-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "modified": "2023-04-13T22:33:34.237Z", "name": "Drinik", "description": "[Drinik](https://attack.mitre.org/software/S1054) is an evolving Android banking trojan that was observed targeting customers of around 27 banks in India in August 2021. Initially seen as an SMS stealer in 2016, [Drinik](https://attack.mitre.org/software/S1054) resurfaced as a banking trojan with more advanced capabilities included in subsequent versions between September 2021 and August 2022.(Citation: cyble_drinik_1022)", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_aliases": [ "Drinik" ], "type": "malware", "id": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "created": "2023-01-18T19:05:43.194Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1054", "external_id": "S1054" }, { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "labels": [ "malware" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "Trojan-SMS.AndroidOS.OpFake.a", "description": "[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) is Android malware. (Citation: Kaspersky-MobileMalware)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "type": "malware", "id": "malware--d89c132d-7752-4c7f-9372-954a71522985", "created": "2017-10-25T14:48:46.734Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0308", "external_id": "S0308" }, { "source_name": "Trojan-SMS.AndroidOS.OpFake.a", "description": "(Citation: Kaspersky-MobileMalware)" }, { "source_name": "Kaspersky-MobileMalware", "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", "url": "https://securelist.com/mobile-malware-evolution-2013/58335/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "modified": "2022-10-24T15:09:07.609Z", "name": "XcodeGhost", "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) is iOS malware that infected at least 39 iOS apps in 2015 and potentially affected millions of users. (Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "type": "malware", "id": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9", "created": "2017-10-25T14:48:42.661Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0297", "external_id": "S0297" }, { "source_name": "XcodeGhost", "description": "(Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)" }, { "source_name": "PaloAlto-XcodeGhost1", "description": "Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/" }, { "source_name": "PaloAlto-XcodeGhost", "description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "SilkBean" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "type": "malware", "created": "2020-12-24T21:41:36.719Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0549", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0549" }, { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2021-04-19T14:29:45.809Z", "name": "SilkBean", "description": "[SilkBean](https://attack.mitre.org/software/S0549) is a piece of Android surveillanceware containing comprehensive remote access tool (RAT) functionality that has been used in targeting of the Uyghur ethnic group.(Citation: Lookout Uyghur Campaign)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "WolfRAT" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "type": "malware", "created": "2020-07-20T13:27:33.113Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0489", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0489" }, { "source_name": "Talos-WolfRAT", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." } ], "modified": "2020-09-11T15:58:40.564Z", "name": "WolfRAT", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) is malware based on a leaked version of [Dendroid](https://attack.mitre.org/software/S0301) that has primarily targeted Thai users. [WolfRAT](https://attack.mitre.org/software/S0489) has most likely been operated by the now defunct organization Wolf Research.(Citation: Talos-WolfRAT) ", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-28T17:20:20.194Z", "name": "BusyGasper", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) is Android spyware that has been in use since May 2016. There have been less than 10 victims, all who appear to be located in Russia, that were all infected via physical access to the device.(Citation: SecureList BusyGasper)", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_aliases": [ "BusyGasper" ], "type": "malware", "id": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "created": "2021-10-01T14:42:48.234Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0655", "external_id": "S0655" }, { "source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "labels": [ "malware" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "malware", "id": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", "created": "2017-10-25T14:48:47.674Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "S0293", "url": "https://attack.mitre.org/software/S0293" }, { "source_name": "CheckPoint-BrainTest", "url": "http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/", "description": "Andrey Polkovnichenko and Alon Boxiner. (2015, September 21). BrainTest – A New Level of Sophistication in Mobile Malware. Retrieved December 21, 2016." }, { "source_name": "Lookout-BrainTest", "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/", "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[BrainTest](https://attack.mitre.org/software/S0293) is a family of Android malware. (Citation: CheckPoint-BrainTest) (Citation: Lookout-BrainTest)", "modified": "2022-04-15T15:36:43.770Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "BrainTest", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "TERRACOTTA" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "type": "malware", "created": "2020-12-18T20:14:46.858Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0545", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0545" }, { "source_name": "WhiteOps TERRACOTTA", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." } ], "modified": "2020-12-28T18:59:32.817Z", "name": "TERRACOTTA", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.(Citation: WhiteOps TERRACOTTA)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "Triada" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "type": "malware", "created": "2019-07-16T14:33:12.034Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0424", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0424" }, { "description": "Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.", "url": "https://www.kaspersky.com/blog/triada-trojan/11481/", "source_name": "Kaspersky Triada March 2016" } ], "modified": "2020-05-28T16:52:37.979Z", "name": "Triada", "description": "[Triada](https://attack.mitre.org/software/S0424) was first reported in 2016 as a second stage malware. Later versions in 2019 appeared with new techniques and as an initial downloader of other Trojan apps.(Citation: Kaspersky Triada March 2016)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "Golden Cup" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "type": "malware", "created": "2020-11-20T15:44:57.339Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0535", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0535" }, { "source_name": "Symantec GoldenCup", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020." } ], "modified": "2020-12-22T21:48:10.951Z", "name": "Golden Cup", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) is Android spyware that has been used to target World Cup fans.(Citation: Symantec GoldenCup) ", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-31T23:02:48.577Z", "name": "FluBot", "description": "[FluBot](https://attack.mitre.org/software/S1067) is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524)", "x_mitre_platforms": [ "Android" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_aliases": [ "FluBot" ], "type": "malware", "id": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "created": "2023-02-28T20:25:59.034Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1067", "external_id": "S1067" }, { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" }, { "source_name": "bitdefender_flubot_0524", "description": "Filip TRUȚĂ, Răzvan GOSA, Adrian Mihai GOZOB. (2022, May 24). New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike. Retrieved February 28, 2023.", "url": "https://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "labels": [ "malware" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "ViperRAT" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "type": "malware", "created": "2020-09-11T16:22:02.954Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0506", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0506" }, { "source_name": "Lookout ViperRAT", "url": "https://blog.lookout.com/viperrat-mobile-apt", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020." } ], "modified": "2020-09-29T20:03:42.662Z", "name": "ViperRAT", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) is sophisticated surveillanceware that has been in operation since at least 2015 and was used to target the Israeli Defense Force.(Citation: Lookout ViperRAT) ", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "Adups", "description": "[Adups](https://attack.mitre.org/software/S0309) is software that was pre-installed onto Android devices, including those made by BLU Products. The software was reportedly designed to help a Chinese phone manufacturer monitor user behavior, transferring sensitive data to a Chinese server. (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "type": "malware", "id": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "created": "2017-10-25T14:48:47.038Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0309", "external_id": "S0309" }, { "source_name": "Adups", "description": "(Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)" }, { "source_name": "NYTimes-BackDoor", "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.", "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html" }, { "source_name": "BankInfoSecurity-BackDoor", "description": "Jeremy Kirk. (2016, November 16). Why Did Chinese Spyware Linger in U.S. Phones?. Retrieved February 6, 2017.", "url": "http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "SimBad" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7", "type": "malware", "created": "2019-11-21T19:16:34.526Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0419", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0419" }, { "description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.", "url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/", "source_name": "CheckPoint SimBad 2019" } ], "modified": "2020-01-27T17:01:31.634Z", "name": "SimBad", "description": "[SimBad](https://attack.mitre.org/software/S0419) was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name \"SimBad\" was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.(Citation: CheckPoint SimBad 2019)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "Android/AdDisplay.Ashas" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "type": "malware", "created": "2020-10-29T19:19:08.848Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0525", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0525" }, { "source_name": "WeLiveSecurity AdDisplayAshas", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020." } ], "modified": "2020-10-29T19:19:08.848Z", "name": "Android/AdDisplay.Ashas", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) is a variant of adware that has been distributed through multiple apps in the Google Play Store. (Citation: WeLiveSecurity AdDisplayAshas)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "Marcher", "description": "[Marcher](https://attack.mitre.org/software/S0317) is Android malware that is used for financial fraud. (Citation: Proofpoint-Marcher)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "type": "malware", "id": "malware--f9854ba6-989d-43bf-828b-7240b8a65291", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0317", "external_id": "S0317" }, { "source_name": "Proofpoint-Marcher", "description": "Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018.", "url": "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "modified": "2023-03-29T21:11:14.364Z", "name": "TianySpy", "description": "[TianySpy](https://attack.mitre.org/software/S1056) is a mobile malware primarily spread by SMS phishing between September 30 and October 12, 2021. [TianySpy](https://attack.mitre.org/software/S1056) is believed to have targeted credentials associated with membership websites of major Japanese telecommunication services.(Citation: trendmicro_tianyspy_0122) ", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_aliases": [ "TianySpy" ], "type": "malware", "id": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "created": "2023-01-19T18:05:30.924Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1056", "external_id": "S1056" }, { "source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "labels": [ "malware" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "DressCode", "description": "[DressCode](https://attack.mitre.org/software/S0300) is an Android malware family. (Citation: TrendMicro-DressCode)", "labels": [ "malware" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "type": "malware", "id": "malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca", "created": "2017-10-25T14:48:37.856Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0300", "external_id": "S0300" }, { "source_name": "DressCode", "description": "(Citation: TrendMicro-DressCode)" }, { "source_name": "TrendMicro-DressCode", "description": "Echo Duan. (2016, September 29). DressCode and its Potential Impact for Enterprises. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "labels": [ "malware" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_aliases": [ "Gustuff" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "type": "malware", "created": "2019-09-03T20:08:00.241Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0406", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0406" }, { "source_name": "Talos Gustuff Apr 2019", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019." } ], "modified": "2019-10-14T19:14:17.007Z", "name": "Gustuff", "description": "[Gustuff](https://attack.mitre.org/software/S0406) is mobile malware designed to steal users' banking and virtual currency credentials.(Citation: Talos Gustuff Apr 2019)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "labels": [ "tool" ], "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_contributors": [ "Emily Ratliff, IBM" ], "x_mitre_aliases": [ "FlexiSpy" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "type": "tool", "created": "2019-09-04T15:38:56.070Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "S0408", "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0408" }, { "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf", "source_name": "FortiGuard-FlexiSpy" }, { "source_name": "CyberMerchants-FlexiSpy", "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html", "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019." }, { "source_name": "FlexiSpy-Website", "url": "https://www.flexispy.com/", "description": "FlexiSpy. (n.d.). FlexiSpy. Retrieved September 4, 2019." } ], "modified": "2019-10-14T18:08:28.349Z", "name": "FlexiSpy", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.(Citation: FortiGuard-FlexiSpy)(Citation: CyberMerchants-FlexiSpy)\n\n[FlexiSpy](https://attack.mitre.org/software/S0408) markets itself as a parental control and employee monitoring application.(Citation: FlexiSpy-Website)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "Xbot", "description": "[Xbot](https://attack.mitre.org/software/S0298) is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. (Citation: PaloAlto-Xbot)", "labels": [ "tool" ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "type": "tool", "id": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4", "created": "2017-10-25T14:48:48.609Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0298", "external_id": "S0298" }, { "source_name": "Xbot", "description": "(Citation: PaloAlto-Xbot)" }, { "source_name": "PaloAlto-Xbot", "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] }, { "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6", "type": "x-mitre-tactic", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "TA0027", "url": "https://attack.mitre.org/tactics/TA0027", "source_name": "mitre-attack" } ], "modified": "2020-01-27T14:02:36.744Z", "name": "Initial Access", "description": "The adversary is trying to get into your device.\n\nThe initial access tactic represents the vectors adversaries use to gain an initial foothold onto a mobile device.", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_shortname": "initial-access" }, { "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981", "type": "x-mitre-tactic", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "TA0036", "url": "https://attack.mitre.org/tactics/TA0036", "source_name": "mitre-attack" } ], "modified": "2020-01-27T14:06:42.009Z", "name": "Exfiltration", "description": "The adversary is trying to steal data.\n\nExfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from the targeted mobile device.\n\nIn the mobile environment, mobile devices are frequently connected to networks outside enterprise control such as cellular networks or public Wi-Fi networks. Adversaries could attempt to evade detection by communicating on these networks, and potentially even by using non-Internet Protocol mechanisms such as Short Message Service (SMS). However, cellular networks often have data caps and/or extra data charges that could increase the potential for adversarial communication to be detected.", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_shortname": "exfiltration" }, { "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54", "type": "x-mitre-tactic", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "TA0028", "url": "https://attack.mitre.org/tactics/TA0028", "source_name": "mitre-attack" } ], "modified": "2020-01-27T14:03:15.455Z", "name": "Persistence", "description": " The adversary is trying to maintain their foothold.\n\nPersistence is any access, action, or configuration change to a mobile device that gives an attacker a persistent presence on the device. Attackers often will need to maintain access to mobile devices through interruptions such as device reboots and potentially even factory data resets.", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_shortname": "persistence" }, { "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8", "type": "x-mitre-tactic", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "TA0029", "url": "https://attack.mitre.org/tactics/TA0029", "source_name": "mitre-attack" } ], "modified": "2020-01-27T14:03:49.343Z", "name": "Privilege Escalation", "description": " The adversary is trying to gain higher-level permissions.\n\nPrivilege escalation includes techniques that allow an attacker to obtain a higher level of permissions on the mobile device. Attackers may enter the mobile device with very limited privileges and may be required to take advantage of a device weakness to obtain higher privileges necessary to successfully carry out their mission objectives.", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_shortname": "privilege-escalation" }, { "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3", "type": "x-mitre-tactic", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "TA0037", "url": "https://attack.mitre.org/tactics/TA0037", "source_name": "mitre-attack" } ], "modified": "2020-01-27T14:06:59.132Z", "name": "Command and Control", "description": "The adversary is trying to communicate with compromised devices to control them.\n\nThe command and control tactic represents how adversaries communicate with systems under their control within a target network. There are many ways an adversary can establish command and control with various levels of covertness, depending on system configuration and network topology. Due to the wide degree of variation available to the adversary at the network level, only the most common factors were used to describe the differences in command and control. There are still a great many specific techniques within the documented methods, largely due to how easy it is to define new protocols and use existing, legitimate protocols and network services for communication. \n\nThe resulting breakdown should help convey the concept that detecting intrusion through command and control protocols without prior knowledge is a difficult proposition over the long term. Adversaries' main constraints in network-level defense avoidance are testing and deployment of tools to rapidly change their protocols, awareness of existing defensive technologies, and access to legitimate Web services that, when used appropriately, make their tools difficult to distinguish from benign traffic.\n\nAdditionally, in the mobile environment, mobile devices are frequently connected to networks outside enterprise control such as cellular networks or public Wi-Fi networks. Adversaries could attempt to evade detection by communicating on these networks, and potentially even by using non-Internet Protocol mechanisms such as Short Message Service (SMS). However, cellular networks often have data caps and/or extra data charges that could increase the potential for adversarial communication to be detected.", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_shortname": "command-and-control" }, { "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756", "type": "x-mitre-tactic", "created": "2020-01-27T14:00:49.089Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "TA0041", "source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0041" } ], "modified": "2020-01-27T14:00:49.089Z", "name": "Execution", "description": "The adversary is trying to run malicious code.\n\nExecution consists of techniques that result in adversary-controlled code running on a mobile device. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data.", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_shortname": "execution" }, { "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e", "type": "x-mitre-tactic", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "TA0034", "url": "https://attack.mitre.org/tactics/TA0034", "source_name": "mitre-attack" } ], "modified": "2020-01-27T16:09:15.308Z", "name": "Impact", "description": "The adversary is trying to manipulate, interrupt, or destroy your devices and data.\n\nThe impact tactic consists of techniques used by the adversary to execute his or her mission objectives but that do not cleanly fit into another category such as Collection. Mission objectives vary based on each adversary's goals, but examples include toll fraud, destruction of device data, or locking the user out of his or her device until a ransom is paid.", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_shortname": "impact" }, { "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10", "type": "x-mitre-tactic", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "TA0031", "url": "https://attack.mitre.org/tactics/TA0031", "source_name": "mitre-attack" } ], "modified": "2020-01-27T14:05:02.718Z", "name": "Credential Access", "description": "The adversary is trying to steal account names, passwords, or other secrets that enable access to resources.\n\nCredential access represents techniques that can be used by adversaries to obtain access to or control over passwords, tokens, cryptographic keys, or other values that could be used by an adversary to gain unauthorized access to resources. Credential access allows the adversary to assume the identity of an account, with all of that account's permissions on the system and network, and makes it harder for defenders to detect the adversary. With sufficient access within a network, an adversary can create accounts for later use within the environment.", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_shortname": "credential-access" }, { "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba", "type": "x-mitre-tactic", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "TA0035", "url": "https://attack.mitre.org/tactics/TA0035", "source_name": "mitre-attack" } ], "modified": "2020-01-27T14:06:10.915Z", "name": "Collection", "description": "The adversary is trying to gather data of interest to their goal.\n\nCollection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_shortname": "collection" }, { "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f", "type": "x-mitre-tactic", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "TA0033", "url": "https://attack.mitre.org/tactics/TA0033", "source_name": "mitre-attack" } ], "modified": "2020-01-27T14:05:37.854Z", "name": "Lateral Movement", "description": "The adversary is trying to move through your environment.\n\nLateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool.", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_shortname": "lateral-movement" }, { "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df", "type": "x-mitre-tactic", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "TA0030", "url": "https://attack.mitre.org/tactics/TA0030", "source_name": "mitre-attack" } ], "modified": "2020-01-27T14:04:46.497Z", "name": "Defense Evasion", "description": " The adversary is trying to avoid being detected.\n\nDefense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. Defense evasion may be considered a set of attributes the adversary applies to all other phases of the operation.", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_shortname": "defense-evasion" }, { "modified": "2022-11-07T21:01:17.781Z", "name": "Network Effects", "description": "The adversary is trying to intercept or manipulate network traffic to or from a device.\n\nThis category refers to network-based techniques that an adversary may be able to use to fulfill his or her objectives without access to the mobile device itself. These include techniques to intercept or manipulate network traffic to and from the mobile device.", "x_mitre_deprecated": true, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_shortname": "network-effects", "type": "x-mitre-tactic", "id": "x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0038", "external_id": "TA0038" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.0.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1", "type": "x-mitre-tactic", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "TA0032", "url": "https://attack.mitre.org/tactics/TA0032", "source_name": "mitre-attack" } ], "modified": "2020-01-27T16:09:00.466Z", "name": "Discovery", "description": "The adversary is trying to figure out your environment.\n\nDiscovery consists of techniques that allow the adversary to gain knowledge about the characteristics of the mobile device and potentially other networked systems. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system may provide capabilities that aid in this post-compromise information-gathering phase.", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_shortname": "discovery" }, { "modified": "2022-11-07T21:01:36.112Z", "name": "Remote Service Effects", "description": "The adversary is trying to control or monitor the device using remote services.\n\nThis category refers to techniques involving remote services, such as vendor-provided cloud services (e.g. Google Drive, Google Find My Device, or Apple iCloud), or enterprise mobility management (EMM)/mobile device management (MDM) services that an adversary may be able to use to fulfill his or her objectives without access to the mobile device itself.", "x_mitre_deprecated": true, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_shortname": "remote-service-effects", "type": "x-mitre-tactic", "id": "x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0039", "external_id": "TA0039" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.0.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "Scheduled Task/Job", "description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Android and iOS, APIs and libraries exist to facilitate scheduling tasks to execute at a specified date, time, or interval.\n\nOn Android, the `WorkManager` API allows asynchronous tasks to be scheduled with the system. `WorkManager` was introduced to unify task scheduling on Android, using `JobScheduler`, `GcmNetworkManager`, and `AlarmManager` internally. `WorkManager` offers a lot of flexibility for scheduling, including periodically, one time, or constraint-based (e.g. only when the device is charging).(Citation: Android WorkManager)\n\nOn iOS, the `NSBackgroundActivityScheduler` API allows asynchronous tasks to be scheduled with the system. The tasks can be scheduled to be repeating or non-repeating, however, the system chooses when the tasks will be executed. The app can choose the interval for repeating tasks, or the delay between scheduling and execution for one-time tasks.(Citation: Apple NSBackgroundActivityScheduler)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "execution" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" } ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_detection": "Scheduling tasks/jobs can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_contributors": [ "Lorin Wu, Trend Micro" ], "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d", "created": "2020-11-04T16:43:31.619Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1603", "external_id": "T1603" }, { "source_name": "Android WorkManager", "description": "Google. (n.d.). Schedule tasks with WorkManager. Retrieved November 4, 2020.", "url": "https://developer.android.com/topic/libraries/architecture/workmanager" }, { "source_name": "Apple NSBackgroundActivityScheduler", "description": "Apple. (n.d.). NSBackgroundActivityScheduler. Retrieved November 4, 2020.", "url": "https://developer.apple.com/documentation/foundation/nsbackgroundactivityscheduler" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_is_subtechnique": false }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa", "created": "2019-10-30T15:37:55.029Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1540", "url": "https://attack.mitre.org/techniques/T1540" }, { "source_name": "Fadeev Code Injection Aug 2018", "url": "https://fadeevab.com/shared-library-injection-on-android-8/", "description": "Alexandr Fadeev. (2018, August 26). Shared Library Injection on Android 8.0. Retrieved October 30, 2019." }, { "source_name": "Google Triada June 2019", "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html", "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019." }, { "source_name": "Shunix Code Injection Mar 2016", "url": "https://shunix.com/shared-library-injection-in-android/", "description": "Shunix . (2016, March 22). Shared Library Injection in Android. Retrieved October 30, 2019." } ], "x_mitre_deprecated": false, "revoked": true, "description": "Adversaries may use code injection attacks to implant arbitrary code into the address space of a running application. Code is then executed or interpreted by that application. Adversaries utilizing this technique may exploit capabilities to load code in at runtime through dynamic libraries.\n\nWith root access, `ptrace` can be used to target specific applications and load shared libraries into its process memory.(Citation: Shunix Code Injection Mar 2016)(Citation: Fadeev Code Injection Aug 2018) By injecting code, an adversary may be able to gain access to higher permissions held by the targeted application by executing as the targeted application. In addition, the adversary may be able to evade detection or enable persistent access to a system under the guise of the application’s process.(Citation: Google Triada June 2019)\n", "modified": "2022-03-30T19:14:20.369Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Code Injection", "x_mitre_detection": "Code injection can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-15T16:39:32.207Z", "name": "Adversary-in-the-Middle", "description": "Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). \n\n \n\n[Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms, such as a malicious application registering itself as a VPN client. By doing this, the adversary can effectively redirect device traffic to wherever they want. However, registering as a VPN client requires user consent on both Android and iOS. Additionally, on iOS, the application requires a special entitlement that must be granted by Apple. Alternatively, if an application is able to escalate privileges, it can potentially utilize those privileges to gain access to network traffic. \n\n \n\nOutside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as DNS redirection or DNS poisoning. \n\n \n\nIf applications properly encrypt their network traffic, sensitive data may not be accessible an adversary, depending on the point of capture. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. \n\n \n\nOn both Android and iOS, users must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. Users can see registered VPN services in the device settings. ", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "created": "2022-04-05T20:11:08.894Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1638", "external_id": "T1638" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html", "external_id": "CEL-3" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html", "external_id": "APP-0" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html", "external_id": "APP-1" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-8.html", "external_id": "APP-8" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-12.html", "external_id": "ECO-12" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-15T16:23:59.281Z", "name": "Abuse Elevation Control Mechanism", "description": "Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can gain on a machine. Authorization has to be granted to specific users in order to perform tasks that are designated as higher risk. An adversary can use several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "privilege-escalation" } ], "x_mitre_deprecated": false, "x_mitre_detection": "When an application requests administrator permission, users are presented with a popup and the option to grant or deny the request. Application vetting services can detect when an application requests administrator permission. Extra scrutiny could be applied to applications that do", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3", "created": "2022-04-01T15:54:05.633Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1626", "external_id": "T1626" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", "external_id": "APP-22" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "id": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d", "type": "attack-pattern", "created": "2017-10-25T14:48:08.155Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1454", "external_id": "T1454" } ], "modified": "2019-04-29T19:35:30.985Z", "name": "Malicious SMS Message", "description": "Test", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_is_subtechnique": false }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d", "created": "2017-10-25T14:48:18.237Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1470", "url": "https://attack.mitre.org/techniques/T1470" }, { "source_name": "Elcomsoft-EPPB", "url": "https://www.elcomsoft.com/eppb.html", "description": "Elcomsoft. (n.d.). Elcomsoft Phone Breaker. Retrieved December 29, 2016." }, { "source_name": "Elcomsoft-WhatsApp", "url": "https://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/", "description": "Oleg Afonin. (2017, July 20). Extract and Decrypt WhatsApp Backups from iCloud. Retrieved July 6, 2018." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-0.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "ECO-0" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-1.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "ECO-1" } ], "x_mitre_deprecated": true, "revoked": false, "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB). Elcomsoft also describes (Citation: Elcomsoft-WhatsApp) obtaining WhatsApp communication histories from backups stored in iCloud.", "modified": "2022-04-06T15:54:11.189Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Obtain Device Cloud Backups", "x_mitre_detection": "Google provides the ability for users to view their account activity. Apple iCloud also provides notifications to users of account activity.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "remote-service-effects" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Without Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:43:03.218Z", "name": "Uninstall Malicious Application", "description": "Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by: \n \n* Abusing device owner permissions to perform silent uninstallation using device owner API calls. \n* Abusing root permissions to delete files from the filesystem. \n* Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Users can see a list of applications that can use accessibility services in the device settings. Application vetting services could look for use of the accessibility service or features that typically require root access.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "created": "2022-03-30T19:31:31.855Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1630/001", "external_id": "T1630.001" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html", "external_id": "APP-43" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:42:18.121Z", "name": "Indicator Removal on Host", "description": "Adversaries may delete, alter, or hide generated artifacts on a device, including files, jailbreak status, or the malicious application itself. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of mobile security solutions by causing notable events or information to go unreported.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. Users can see a list of applications that can use accessibility services in the device settings. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "iOS", "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "created": "2022-03-30T19:28:25.541Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1630", "external_id": "T1630" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html", "external_id": "APP-43" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:52:29.947Z", "name": "Supply Chain Compromise", "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images\n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency, specifically with the widespread usage of third-party advertising libraries.(Citation: Grace-Advertisement)(Citation: NowSecure-RemoteCode)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1474", "external_id": "T1474" }, { "source_name": "Grace-Advertisement", "description": "M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved December 22, 2016.", "url": "https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/WISEC12_ADRISK.pdf" }, { "source_name": "NowSecure-RemoteCode", "description": "Ryan Welton. (2015, June 15). A Pattern for Remote Code Execution using Arbitrary File Writes and MultiDex Applications. Retrieved December 22, 2016.", "url": "https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html", "external_id": "APP-6" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-0.html", "external_id": "SPC-0" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-1.html", "external_id": "SPC-1" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-2.html", "external_id": "SPC-2" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-3.html", "external_id": "SPC-3" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-4.html", "external_id": "SPC-4" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-5.html", "external_id": "SPC-5" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-6.html", "external_id": "SPC-6" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-7.html", "external_id": "SPC-7" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-8.html", "external_id": "SPC-8" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-9.html", "external_id": "SPC-9" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-10.html", "external_id": "SPC-10" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-11.html", "external_id": "SPC-11" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-12.html", "external_id": "SPC-12" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-13.html", "external_id": "SPC-13" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-14.html", "external_id": "SPC-14" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-15.html", "external_id": "SPC-15" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-16.html", "external_id": "SPC-16" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-17.html", "external_id": "SPC-17" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-18.html", "external_id": "SPC-18" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-19.html", "external_id": "SPC-19" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-20.html", "external_id": "SPC-20" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-21.html", "external_id": "SPC-21" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:41:45.256Z", "name": "Impersonate SS7 Nodes", "description": "Adversaries may exploit the lack of authentication in signaling system network nodes to track the to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport) \n\n \n\nBy providing the victim’s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device’s geographical cell area or nearest cell tower.(Citation: Engel-SS7)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC-WG1-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "type": "attack-pattern", "id": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", "created": "2022-04-05T19:49:58.938Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1430/002", "external_id": "T1430.002" }, { "source_name": "3GPP-Security", "description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016.", "url": "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf" }, { "source_name": "CSRIC5-WG10-FinalReport", "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.", "url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" }, { "source_name": "CSRIC-WG1-FinalReport", "description": "CSRIC-WG1-FinalReport" }, { "source_name": "Positive-SS7", "description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016.", "url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf" }, { "source_name": "Engel-SS7-2008", "description": "Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016.", "url": "https://www.youtube.com/watch?v=q0n5ySqbfdI" }, { "source_name": "Engel-SS7", "description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016.", "url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html", "external_id": "CEL-38" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "id": "attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799", "type": "attack-pattern", "created": "2017-10-25T14:48:30.462Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1425", "external_id": "T1425" } ], "modified": "2018-10-17T01:05:10.699Z", "name": "Insecure Third-Party Libraries", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false }, { "modified": "2023-03-20T18:56:20.270Z", "name": "Protected User Data", "description": "Adversaries may utilize standard operating system APIs to collect data from permission-backed data stores on a device, such as the calendar or contact list. These permissions need to be declared ahead of time. On Android, they must be included in the application’s manifest. On iOS, they must be included in the application’s `Info.plist` file. \n\n \n\nIn almost all cases, the user is required to grant access to the data store that the application is trying to access. In recent OS versions, vendors have introduced additional privacy controls for users, such as the ability to grant permission to an application only while the application is being actively used by the user. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Protected User Data](https://attack.mitre.org/techniques/T1636) without the user’s knowledge or approval. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Users can view permissions granted to an application in device settings. Application vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as `RECEIVE_SMS`, could receive additional scrutiny.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "created": "2022-04-01T12:36:41.507Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1636", "external_id": "T1636" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "external_id": "APP-13" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "created": "2022-04-05T20:15:43.636Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1521.002", "url": "https://attack.mitre.org/techniques/T1521/002" } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private that should not be distributed. Due to how asymmetric algorithms work, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA, ElGamal, and ECDSA.\n\nFor efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1521/002).", "modified": "2022-04-05T20:16:21.324Z", "name": "Asymmetric Cryptography", "x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.", "kill_chain_phases": [ { "phase_name": "command-and-control", "kill_chain_name": "mitre-mobile-attack" } ], "x_mitre_is_subtechnique": true, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:55:03.477Z", "name": "Software Discovery", "description": "Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1418) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempts specific actions. \n\n \n\nAdversaries may attempt to enumerate applications for a variety of reasons, such as figuring out what security measures are present or to identify the presence of target applications. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "created": "2017-10-25T14:48:28.067Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1418", "external_id": "T1418" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html", "external_id": "APP-12" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:55:23.702Z", "name": "Process Discovery", "description": "Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1424) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. \n\n \n\nRecent Android security enhancements have made it more difficult to obtain a list of running processes. On Android 7 and later, there is no way for an application to obtain the process list without abusing elevated privileges. This is due to the Android kernel utilizing the `hidepid` mount feature. Prior to Android 7, applications could utilize the `ps` command or examine the `/proc` directory on the device.(Citation: Android-SELinuxChanges) \n\n \n\nIn iOS, applications have previously been able to use the `sysctl` command to obtain a list of running processes. This functionality has been removed in later iOS versions. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of `ps` or inspection of the `/proc` directory.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "created": "2017-10-25T14:48:33.926Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1424", "external_id": "T1424" }, { "source_name": "Android-SELinuxChanges", "description": "Various. (2016, March 31). Overly restrictive SELinux filesystem permissions in Android N. Retrieved December 21, 2016.", "url": "https://code.google.com/p/android/issues/detail?id=205565" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-16T18:32:30.150Z", "name": "Call Log", "description": "Adversaries may utilize standard operating system APIs to gather call log data. On Android, this can be accomplished using the Call Log Content Provider. iOS provides no standard API to access the call log. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Call Log](https://attack.mitre.org/techniques/T1636/002) without the user’s knowledge or approval. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_deprecated": false, "x_mitre_detection": "On Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_CALL_LOG` in an Android application’s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it. ", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "created": "2022-04-01T13:12:23.522Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1636/002", "external_id": "T1636.002" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "external_id": "APP-13" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:55:33.642Z", "name": "Security Software Discovery", "description": "Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1418/001) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempt specific actions. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", "created": "2022-03-31T19:50:45.752Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1418/001", "external_id": "T1418.001" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html", "external_id": "APP-12" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "id": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2", "type": "attack-pattern", "created": "2017-10-25T14:48:10.699Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1434", "external_id": "T1434" } ], "modified": "2018-10-17T01:05:10.699Z", "name": "App Delivered via Email Attachment", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false }, { "modified": "2023-03-20T18:57:40.571Z", "name": "Ptrace System Calls", "description": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. \n\nPtrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (e.g., by using `malloc`) then invoking that memory with `PTRACE_SETREGS` to set the register containing the next instruction to execute. Ptrace system call injection can also be done with `PTRACE_POKETEXT`/`PTRACE_POKEDATA`, which copy data to a specific address in the target process's memory (e.g., the current address of the next instruction).(Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) \n\nPtrace system call injection may not be possible when targeting processes with high-privileges, and on some systems those that are non-child processes.(Citation: BH Linux Inject) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "privilege-escalation" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could look for misuse of dynamic libraries.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", "created": "2022-03-30T19:05:17.048Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1631/001", "external_id": "T1631.001" }, { "source_name": "BH Linux Inject", "description": "Colgan, T. (2015, August 15). Linux-Inject. Retrieved February 21, 2020.", "url": "https://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdf" }, { "source_name": "Medium Ptrace JUL 2018", "description": "Jain, S. (2018, July 25). Code injection in running process using ptrace. Retrieved February 21, 2020.", "url": "https://medium.com/@jain.sm/code-injection-in-running-process-using-ptrace-d3ea7191a4be" }, { "source_name": "PTRACE man", "description": "Kerrisk, M. (2020, February 9). PTRACE(2) - Linux Programmer's Manual. Retrieved February 21, 2020.", "url": "http://man7.org/linux/man-pages/man2/ptrace.2.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:59:55.849Z", "name": "Impair Defenses", "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users or mobile endpoint administrators.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Mobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running. Application vetting can detect many techniques associated with impairing device defenses.(Citation: Samsung Knox Mobile Threat Defense)", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "created": "2022-04-01T18:42:22.117Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1629", "external_id": "T1629" }, { "source_name": "Samsung Knox Mobile Threat Defense", "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.", "url": "https://partner.samsungknox.com/mtd" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", "external_id": "APP-22" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_contributors": [ "Lukáš Štefanko, ESET" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a", "type": "attack-pattern", "created": "2017-10-25T14:48:08.613Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-mobile-attack", "external_id": "T1453", "url": "https://attack.mitre.org/techniques/T1453" }, { "url": "https://www.skycure.com/blog/accessibility-clickjacking/", "description": "Yair Amit. (2016, March 3). “Accessibility Clickjacking” – The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.", "source_name": "Skycure-Accessibility" }, { "description": "Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.", "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/", "source_name": "android-trojan-steals-paypal-2fa" }, { "source_name": "banking-trojans-google-play", "url": "https://www.welivesecurity.com/2018/10/24/banking-trojans-continue-surface-google-play/", "description": "Lukáš Štefanko. (2018, October 24). Banking Trojans continue to surface on Google Play. Retrieved July 11, 2019." } ], "modified": "2020-03-30T14:03:43.761Z", "name": "Abuse Accessibility Features", "description": "**This technique has been deprecated. Please use [Input Capture](https://attack.mitre.org/techniques/T1417), [Input Injection](https://attack.mitre.org/techniques/T1516), and [Input Prompt](https://attack.mitre.org/techniques/T1411) where appropriate.**\n\nA malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions.(Citation: Skycure-Accessibility)\n\nAdversaries may abuse accessibility features on Android to emulate a user's clicks, for example to steal money from a user's bank account.(Citation: android-trojan-steals-paypal-2fa)(Citation: banking-trojans-google-play)\n\nAdversaries may abuse accessibility features on Android devices to evade defenses by repeatedly clicking the \"Back\" button when a targeted app manager or mobile security app is launched, or when strings suggesting uninstallation are detected in the foreground. This effectively prevents the malicious application from being uninstalled.(Citation: android-trojan-steals-paypal-2fa)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_deprecated": true, "x_mitre_version": "2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_is_subtechnique": false }, { "modified": "2023-03-20T18:51:07.651Z", "name": "Exploitation of Remote Services", "description": "Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network. Adversaries may exploit remote services by taking advantage of a mobile device’s access to an internal enterprise network through local connectivity or through a Virtual Private Network (VPN). Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. \n\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1423) or other Discovery methods. These look for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\n\nDepending on the permissions level of the vulnerable remote service, an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1404) as a result of lateral movement exploitation as well. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "lateral-movement" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Detecting software exploitation initiated by a mobile device may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.\n\nNetwork traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. \n\nApplication vetting may be able to identify applications that perform Discovery or utilize existing connectivity to remotely access hosts within an internal enterprise network. ", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", "created": "2017-10-25T14:48:13.259Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1428", "external_id": "T1428" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-32.html", "external_id": "APP-32" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "created": "2022-04-01T19:06:27.177Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1437.001", "url": "https://attack.mitre.org/techniques/T1437/001" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-29" } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may communicate using application layer protocols associated with web protocols traffic to avoid detection/network filtering by blending in with existing traffic. Commands to remote mobile devices, and often the results of those commands, will be embedded within the protocol traffic between the mobile client and server. \n\nWeb protocols such as HTTP and HTTPS are used for web traffic as well as well as notification services native to mobile messaging services such as Google Cloud Messaging (GCM) and newly, Firebase Cloud Messaging (FCM), (GCM/FCM: two-way communication) and Apple Push Notification Service (APNS; one-way server-to-device). Such notification services leverage HTTP/S via the respective API and are commonly abused on Android and iOS respectively in order blend in with routine device traffic making it difficult for enterprises to inspect. ", "modified": "2022-04-06T13:07:45.661Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Web Protocols", "x_mitre_detection": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior. ", "kill_chain_phases": [ { "phase_name": "command-and-control", "kill_chain_name": "mitre-mobile-attack" } ], "x_mitre_is_subtechnique": true, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:53:52.292Z", "name": "Steal Application Access Token", "description": "Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering or URI hijacking and typically requires user action to grant access, such as through a system “Open With” dialogue. \n\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework used to issue tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry through OAuth 2.0 using a variety of authorization protocols. An example of a commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested without requiring user credentials.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_deprecated": false, "x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it. When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", "created": "2022-04-01T15:12:50.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1635", "external_id": "T1635" }, { "source_name": "Android-AppLinks", "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.", "url": "https://developer.android.com/training/app-links/index.html" }, { "source_name": "Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019", "description": "Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019.", "url": "https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/" }, { "source_name": "Microsoft - OAuth Code Authorization flow - June 2019", "description": "Microsoft. (n.d.). Microsoft identity platform and OAuth 2.0 authorization code flow. Retrieved September 12, 2019.", "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow" }, { "source_name": "Microsoft Identity Platform Protocols May 2019", "description": "Microsoft. (n.d.). Retrieved September 12, 2019.", "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols" }, { "source_name": "IETF-OAuthNativeApps", "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.", "url": "https://tools.ietf.org/html/rfc8252" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "created": "2022-04-11T20:05:56.069Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1628.002", "url": "https://attack.mitre.org/techniques/T1628/002" } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary’s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device’s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.", "modified": "2022-04-11T20:05:56.069Z", "name": "User Evasion", "x_mitre_detection": "Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "kill_chain_phases": [ { "phase_name": "defense-evasion", "kill_chain_name": "mitre-mobile-attack" } ], "x_mitre_is_subtechnique": true, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:37:57.884Z", "name": "Virtualization/Sandbox Evasion", "description": "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors after checking for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware’s behavior to disengage from the victim or conceal the core functions of the payload. They may also search for VME artifacts before dropping further payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) during automated discovery to shape follow-on behaviors. \n\nAdversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) such as checking for system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f", "created": "2022-03-30T17:51:29.550Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1633", "external_id": "T1633" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38", "created": "2020-06-24T17:33:49.778Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1579", "url": "https://attack.mitre.org/techniques/T1579" }, { "source_name": "Apple Keychain Services", "url": "https://developer.apple.com/documentation/security/keychain_services", "description": "Apple, Inc.. (n.d.). Keychain Services. Retrieved June 24, 2020." }, { "source_name": "Elcomsoft Decrypt Keychain", "url": "https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/", "description": "V. Katalov. (2018, December 18). Six Ways to Decrypt iPhone Passwords from the Keychain. Retrieved June 24, 2020." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "AUT-11" } ], "x_mitre_deprecated": false, "revoked": true, "description": "Adversaries may collect the keychain storage data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials.\n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, an adversary can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain)", "modified": "2022-04-01T15:02:43.470Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Keychain", "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices and perform further actions as necessary.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3", "created": "2017-10-25T14:48:17.176Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1413", "url": "https://attack.mitre.org/techniques/T1413" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-3.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-3" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-13" } ], "x_mitre_deprecated": true, "revoked": false, "description": "On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.", "modified": "2022-04-06T15:37:34.463Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Access Sensitive Data in Device Logs", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T15:16:19.547Z", "name": "Command and Scripting Interpreter", "description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic [Unix Shell](https://attack.mitre.org/techniques/T1623/001) that can be accessed via the Android Debug Bridge (ADB) or Java’s `Runtime` package.\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0027) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "execution" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Command-line activities can potentially be detected through Mobile Threat Defense integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\n\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "created": "2022-03-30T13:40:37.259Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1623", "external_id": "T1623" }, { "source_name": "Samsung Knox Mobile Threat Defense", "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.", "url": "https://partner.samsungknox.com/mtd" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:40:12.912Z", "name": "Disable or Modify Tools", "description": "Adversaries may disable security tools to avoid potential detection of their tools and activities. This can take the form of disabling security software, modifying SELinux configuration, or other methods to interfere with security tools scanning or reporting information. This is typically done by abusing device administrator permissions or using system exploits to gain root access to the device to modify protected system files.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Users can view a list of active device administrators in the device settings.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "created": "2022-04-01T18:51:13.963Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1629/003", "external_id": "T1629.003" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:43:44.687Z", "name": "Ingress Tool Transfer", "description": "Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel or through alternate protocols with another tool such as FTP.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could look for connections to unknown domains or IP addresses. Application vetting services may indicate precisely what content was requested during application execution.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "created": "2020-01-21T15:27:30.182Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1544", "external_id": "T1544" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26", "created": "2022-04-05T19:57:15.734Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1637", "url": "https://attack.mitre.org/techniques/T1637" }, { "source_name": "Data Driven Security DGA", "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/", "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. This algorithm can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.", "modified": "2022-04-05T19:57:15.734Z", "name": "Dynamic Resolution", "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different Domain Generation Algorithms (DGAs), constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names or rarely visited domains.", "kill_chain_phases": [ { "phase_name": "command-and-control", "kill_chain_name": "mitre-mobile-attack" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5", "created": "2018-10-17T00:14:20.652Z", "x_mitre_version": "1.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1477", "url": "https://attack.mitre.org/techniques/T1477" }, { "source_name": "Forbes-iPhoneSMS", "url": "http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html", "description": "Andy Greenberg. (2009, July 28). How to Hijack 'Every iPhone In The World'. Retrieved December 23, 2016." }, { "source_name": "Register-BaseStation", "url": "http://www.theregister.co.uk/2015/11/12/mobile_pwn2own1/", "description": "D. Pauli. (2015, November 12). Samsung S6 calls open to man-in-the-middle base station snooping. Retrieved December 23, 2016." }, { "source_name": "ProjectZero-BroadcomWiFi", "url": "https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html", "description": "Gal Beniamini. (2017, April 4). Over The Air: Exploiting Broadcom's Wi-Fi Stack. Retrieved November 8, 2018." }, { "source_name": "Weinmann-Baseband", "url": "https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf", "description": "R. Weinmann. (2012, August 6-7). Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks. Retrieved December 23, 2016." }, { "source_name": "SRLabs-SIMCard", "url": "https://srlabs.de/bites/rooting-sim-cards/", "description": "SRLabs. (n.d.). SIM cards are prone to remote hacking. Retrieved December 23, 2016." } ], "x_mitre_deprecated": true, "revoked": false, "description": "The mobile device may be targeted for exploitation through its interface to cellular networks or other radio interfaces.\n\n### Baseband Vulnerability Exploitation\n\nA message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi(Citation: ProjectZero-BroadcomWiFi) or other) to the mobile device could exploit a vulnerability in code running on the device(Citation: Register-BaseStation)(Citation: Weinmann-Baseband).\n\n### Malicious SMS Message\n\nAn SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device(Citation: Forbes-iPhoneSMS). An SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser. Vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages(Citation: SRLabs-SIMCard).", "modified": "2022-04-06T15:42:13.444Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Exploit via Radio Interfaces", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790", "created": "2017-10-25T14:48:26.890Z", "x_mitre_version": "1.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1423", "url": "https://attack.mitre.org/techniques/T1423" } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).", "modified": "2022-04-11T19:12:38.451Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Network Service Scanning", "x_mitre_detection": "Network service scanning can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "kill_chain_phases": [ { "phase_name": "discovery", "kill_chain_name": "mitre-mobile-attack" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d", "created": "2021-09-30T18:18:52.285Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1618", "url": "https://attack.mitre.org/techniques/T1618" } ], "x_mitre_deprecated": false, "revoked": true, "description": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary’s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device’s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.", "modified": "2022-04-11T20:06:56.032Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "User Evasion", "x_mitre_detection": "Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "created": "2022-04-01T15:43:45.913Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1646", "url": "https://attack.mitre.org/techniques/T1646" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-29" } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.", "modified": "2022-04-08T16:25:44.552Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Exfiltration Over C2 Channel", "x_mitre_detection": "Exfiltration over C2 channel can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "kill_chain_phases": [ { "phase_name": "exfiltration", "kill_chain_name": "mitre-mobile-attack" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:49:53.301Z", "name": "Exploitation for Privilege Escalation", "description": "Adversaries may exploit software vulnerabilities in order to to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. \n\nWhen initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "privilege-escalation" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken. Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "created": "2017-10-25T14:48:29.405Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1404", "external_id": "T1404" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html", "external_id": "APP-26" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-16T18:31:37.189Z", "name": "Call Control", "description": "Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.\n\nSeveral permissions may be used to programmatically control phone calls, including:\n\n* `ANSWER_PHONE_CALLS` - Allows the application to answer incoming phone calls(Citation: Android Permissions)\n* `CALL_PHONE` - Allows the application to initiate a phone call without going through the Dialer interface(Citation: Android Permissions)\n* `PROCESS_OUTGOING_CALLS` - Allows the application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether(Citation: Android Permissions)\n* `MANAGE_OWN_CALLS` - Allows a calling application which manages its own calls through the self-managed `ConnectionService` APIs(Citation: Android Permissions)\n* `BIND_TELECOM_CONNECTION_SERVICE` - Required permission when using a `ConnectionService`(Citation: Android Permissions)\n* `WRITE_CALL_LOG` - Allows an application to write to the device call log, potentially to hide malicious phone calls(Citation: Android Permissions)\n\nWhen granted some of these permissions, an application can make a phone call without opening the dialer first. However, if an application desires to simply redirect the user to the dialer with a phone number filled in, it can launch an Intent using `Intent.ACTION_DIAL`, which requires no specific permissions. This then requires the user to explicitly initiate the call or use some form of [Input Injection](https://attack.mitre.org/techniques/T1516) to programmatically initiate it.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_contributors": [ "Gaetan van Diemen, ThreatFabric" ], "x_mitre_deprecated": false, "x_mitre_detection": "Users can view their default phone app in device settings. Users can review available call logs for irregularities, such as missing or unrecognized calls.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "created": "2021-09-20T13:42:20.824Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1616", "external_id": "T1616" }, { "source_name": "Android Permissions", "description": "Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021.", "url": "https://developer.android.com/reference/android/Manifest.permission" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-41.html", "external_id": "APP-41" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-42.html", "external_id": "CEL-42" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-36.html", "external_id": "CEL-36" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-18.html", "external_id": "CEL-18" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--37047267-3e56-453c-833e-d92b68118120", "created": "2022-04-06T13:22:57.683Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1639.001", "url": "https://attack.mitre.org/techniques/T1639/001" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-30" } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). Adversaries may employ custom or publicly available encoding/compression algorithms (such as base64) or embed data within protocol headers and fields.", "modified": "2022-04-06T13:23:10.087Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Exfiltration Over Unencrypted Non-C2 Protocol", "x_mitre_detection": "Exfiltration Over Alternative Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "kill_chain_phases": [ { "phase_name": "exfiltration", "kill_chain_name": "mitre-mobile-attack" } ], "x_mitre_is_subtechnique": true, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-16T18:27:42.752Z", "name": "Broadcast Receivers", "description": "Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. \n\nAn intent is a message passed between Android applications or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received. \n\nIn addition to Android system intents, malicious applications can register for intents broadcasted by other applications. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications. \n\nIn Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" } ], "x_mitre_contributors": [ "Alex Hinchliffe, Palo Alto Networks" ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "created": "2022-03-30T14:41:00.672Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1624/001", "external_id": "T1624.001" }, { "source_name": "Android Changes to System Broadcasts", "description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020.", "url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad", "created": "2017-10-25T14:48:16.650Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1436", "url": "https://attack.mitre.org/techniques/T1436" } ], "x_mitre_deprecated": true, "revoked": false, "description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. \n\nThey may use commonly open ports such as\n\n* TCP:80 (HTTP)\n* TCP:443 (HTTPS)\n* TCP:25 (SMTP)\n* TCP/UDP:53 (DNS)\n\nThey may use the protocol associated with the port or a completely different protocol.", "modified": "2022-04-06T15:40:47.556Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Commonly Used Port", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "exfiltration" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--393e8c12-a416-4575-ba90-19cc85656796", "created": "2017-10-25T14:48:26.104Z", "x_mitre_version": "1.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1439", "url": "https://attack.mitre.org/techniques/T1439" }, { "source_name": "mHealth", "url": "https://experts.illinois.edu/en/publications/security-concerns-in-android-mhealth-apps", "description": "D. He et al.. (2014). Security Concerns in Android mHealth Apps. Retrieved December 24, 2016." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-0" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-1" } ], "x_mitre_deprecated": false, "revoked": true, "description": "If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication.(Citation: mHealth)", "modified": "2022-04-05T20:17:46.147Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Eavesdrop on Insecure Network Communication", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "network-effects" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Without Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-15T16:26:05.050Z", "name": "Access Notifications", "description": "Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one-time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications.(Citation: ESET 2FA Bypass) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services can look for applications requesting the `BIND_NOTIFICATION_LISTENER_SERVICE` permission in a service declaration. Users can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access). ", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "created": "2019-09-15T15:26:08.183Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1517", "external_id": "T1517" }, { "source_name": "ESET 2FA Bypass", "description": "Lukáš Štefanko. (2019, June 17). Malware sidesteps Google permissions policy with new 2FA bypass technique. Retrieved September 15, 2019.", "url": "https://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9", "created": "2017-10-25T14:48:14.982Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1410", "url": "https://attack.mitre.org/techniques/T1410" }, { "source_name": "Skycure-Profiles", "url": "https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/", "description": "Yair Amit. (2013, March 12). Malicious Profiles - The Sleeping Giant of iOS Security. Retrieved December 22, 2016." } ], "x_mitre_deprecated": false, "revoked": true, "description": "An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.\n\nA malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.\n\nAlternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.\n\nAn adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device's proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.\n\nIf applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.", "modified": "2022-04-15T17:52:24.123Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Network Traffic Capture or Redirection", "x_mitre_detection": "On both Android and iOS the user must grant consent to an app to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is in place.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2", "created": "2017-10-25T14:48:34.407Z", "x_mitre_version": "2.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1411", "url": "https://attack.mitre.org/techniques/T1411" }, { "source_name": "Felt-PhishingOnMobileDevices", "url": "http://w2spconf.com/2011/papers/felt-mobilephishing.pdf", "description": "A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016." }, { "source_name": "Android Background", "url": "https://developer.android.com/guide/components/activities/background-starts", "description": "Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019." }, { "source_name": "Android-getRunningTasks", "url": "https://developer.android.com/reference/android/app/ActivityManager.html#getRunningTasks%28int%29", "description": "Android. (n.d.). ActivityManager getRunningTasks documentation. Retrieved January 19, 2017." }, { "source_name": "Cloak and Dagger", "url": "http://cloak-and-dagger.org/", "description": "Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 18, 2019." }, { "source_name": "Group IB Gustuff Mar 2019", "url": "https://www.group-ib.com/blog/gustuff", "description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019." }, { "source_name": "eset-finance", "url": "https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/", "description": "Lukáš Štefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018." }, { "source_name": "Hassell-ExploitingAndroid", "url": "https://conference.hitb.org/hitbsecconf2011kul/materials/D1T1%20-%20Riley%20Hassell%20-%20Exploiting%20Androids%20for%20Fun%20and%20Profit.pdf", "description": "R. Hassell. (2011, October 12-13). Exploiting Androids for Fun and Profit. Retrieved October 10, 2019." }, { "source_name": "XDA Bubbles", "url": "https://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/", "description": "Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019." }, { "source_name": "NowSecure Android Overlay", "url": "https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/", "description": "Ramirez, T.. (2017, May 25). ‘SAW’-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019." }, { "source_name": "ThreatFabric Cerberus", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", "description": "ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019." }, { "source_name": "StackOverflow-getRunningAppProcesses", "url": "http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packag", "description": "Various. (n.d.). Android 5.1.1 and above - getRunningAppProcesses() returns my application package only. Retrieved January 19, 2017." }, { "source_name": "Skycure-Accessibility", "url": "https://www.skycure.com/blog/accessibility-clickjacking/", "description": "Yair Amit. (2016, March 3). “Accessibility Clickjacking” – The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-31" } ], "x_mitre_deprecated": false, "revoked": true, "description": "The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Adversaries may mimic this functionality to prompt users for sensitive information.\n\nCompared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.(Citation: Felt-PhishingOnMobileDevices)\n\nSpecific approaches to this technique include:\n\n### Impersonate the identity of a legitimate application\n\nA malicious application could impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and get installed on the device. The malicious app could then prompt the user for sensitive information.(Citation: eset-finance)\n\n### Display a prompt on top of a running legitimate application\n\nA malicious application could display a prompt on top of a running legitimate application to trick users into entering sensitive information into the malicious application rather than the legitimate application. Typically, the malicious application would need to know when the targeted application (and individual activity within the targeted application) is running in the foreground, so that the malicious application knows when to display its prompt. Android 5.0 and 5.1.1, respectively, increased the difficulty of determining the current foreground application through modifications to the `ActivityManager` API.(Citation: Android-getRunningTasks)(Citation: StackOverflow-getRunningAppProcesses). A malicious application can still abuse Android’s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Approaches to display a prompt include:\n\n* A malicious application could start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* A malicious application could create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions, and at least under certain conditions is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)\n\n### Fake device notifications\n\nA malicious application could send fake device notifications to the user. Clicking on the device notification could trigger the malicious application to display an input prompt.(Citation: Group IB Gustuff Mar 2019)", "modified": "2022-04-05T19:52:32.190Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Input Prompt", "x_mitre_detection": "The user can view and manage which applications hold the SYSTEM_ALERT_WINDOW permission to create overlay windows on top of other apps through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d", "created": "2022-04-06T13:19:33.785Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1639", "url": "https://attack.mitre.org/techniques/T1639" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-30" } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may opt to also encrypt and/or obfuscate these alternate channels. ", "modified": "2022-04-29T17:29:00.038Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Exfiltration Over Alternative Protocol", "x_mitre_detection": "Exfiltration Over Alternative Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "kill_chain_phases": [ { "phase_name": "exfiltration", "kill_chain_name": "mitre-mobile-attack" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "id": "attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09", "type": "attack-pattern", "created": "2017-10-25T14:48:24.069Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1460", "external_id": "T1460" } ], "modified": "2018-10-17T01:05:10.703Z", "name": "Biometric Spoofing", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false }, { "modified": "2023-03-16T18:26:46.043Z", "name": "Boot or Logon Initialization Scripts", "description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" } ], "x_mitre_deprecated": false, "x_mitre_detection": "On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. ", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "created": "2017-10-25T14:48:31.294Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1398", "external_id": "T1398" }, { "source_name": "Android-VerifiedBoot", "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.", "url": "https://source.android.com/security/verifiedboot/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html", "external_id": "APP-26" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", "external_id": "APP-27" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:44:26.317Z", "name": "Execution Guardrails", "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location.(Citation: SWB Exodus March 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [System Checks](https://attack.mitre.org/techniques/T1633/001). While use of [System Checks](https://attack.mitre.org/techniques/T1633/001) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Detecting the use of guardrails may be difficult depending on the implementation. Users can review which applications have location and sensitive phone information permissions in the operating system’s settings menu. Application vetting services can detect unnecessary and potentially permissions or API calls.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", "created": "2022-03-30T20:31:16.624Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1627", "external_id": "T1627" }, { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.", "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:55:51.676Z", "name": "GUI Input Capture", "description": "Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.(Citation: Felt-PhishingOnMobileDevices)\n\nThere are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.(Citation: eset-finance) Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.(Citation: Group IB Gustuff Mar 2019) \n\nAdditionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android’s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Two known approaches to displaying a prompt include:\n\n* Adversaries start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Android users can view and manage which applications hold the `SYSTEM_ALERT_WINDOW` permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions). \n\nApplication vetting services can look for applications requesting the `android.permission.SYSTEM_ALERT_WINDOW` permission in the list of permissions in the app manifest. ", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "created": "2022-04-05T19:48:31.195Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1417/002", "external_id": "T1417.002" }, { "source_name": "Felt-PhishingOnMobileDevices", "description": "A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016.", "url": "http://w2spconf.com/2011/papers/felt-mobilephishing.pdf" }, { "source_name": "Android Background", "description": "Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019.", "url": "https://developer.android.com/guide/components/activities/background-starts" }, { "source_name": "Cloak and Dagger", "description": "Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 18, 2019.", "url": "http://cloak-and-dagger.org/" }, { "source_name": "Group IB Gustuff Mar 2019", "description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.", "url": "https://www.group-ib.com/blog/gustuff" }, { "source_name": "eset-finance", "description": "Lukáš Štefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018.", "url": "https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/" }, { "source_name": "Hassell-ExploitingAndroid", "description": "R. Hassell. (2011, October 12-13). Exploiting Androids for Fun and Profit. Retrieved October 10, 2019.", "url": "https://conference.hitb.org/hitbsecconf2011kul/materials/D1T1%20-%20Riley%20Hassell%20-%20Exploiting%20Androids%20for%20Fun%20and%20Profit.pdf" }, { "source_name": "XDA Bubbles", "description": "Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019.", "url": "https://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/" }, { "source_name": "NowSecure Android Overlay", "description": "Ramirez, T.. (2017, May 25). ‘SAW’-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019.", "url": "https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/" }, { "source_name": "ThreatFabric Cerberus", "description": "ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" }, { "source_name": "Skycure-Accessibility", "description": "Yair Amit. (2016, March 3). “Accessibility Clickjacking” – The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.", "url": "https://www.skycure.com/blog/accessibility-clickjacking/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", "external_id": "APP-31" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", "created": "2017-10-25T14:48:11.535Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1432", "url": "https://attack.mitre.org/techniques/T1432" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-13" } ], "x_mitre_deprecated": false, "revoked": true, "description": "An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.", "modified": "2022-04-01T13:19:41.180Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Access Contact List", "x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access contact list information through the device settings screen, and the user can choose to revoke the permissions.", "kill_chain_phases": [ { "phase_name": "collection", "kill_chain_name": "mitre-mobile-attack" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T15:20:11.752Z", "name": "Compromise Client Software Binary", "description": "Adversaries may modify system software binaries to establish persistent access to devices. System software binaries are used by the underlying operating system and users over adb or terminal emulators. \n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those binaries are executed. For example, malware may come with a pre-compiled malicious binary intended to overwrite the genuine one on the device. Since these binaries may be routinely executed by the system or user, the adversary can leverage this for persistent access to the device. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android’s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. Application vetting services could detect applications trying to modify files in protected parts of the operating system.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "created": "2022-03-30T19:53:27.791Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1645", "external_id": "T1645" }, { "source_name": "Android-VerifiedBoot", "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.", "url": "https://source.android.com/security/verifiedboot/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", "external_id": "APP-27" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:54:40.501Z", "name": "Software Packing", "description": "Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. \n\nUtilities used to perform software packing are called packers. An example packer is FTT. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "iOS", "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", "created": "2022-03-30T19:20:37.864Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1406/002", "external_id": "T1406.002" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "id": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac", "type": "attack-pattern", "created": "2017-10-25T14:48:16.288Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1445", "external_id": "T1445" } ], "modified": "2018-10-17T01:05:10.701Z", "name": "Abuse of iOS Enterprise App Signing Key", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5", "created": "2017-10-25T14:48:09.864Z", "x_mitre_version": "1.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1450", "url": "https://attack.mitre.org/techniques/T1450" }, { "source_name": "3GPP-Security", "url": "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf", "description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016." }, { "source_name": "CSRIC5-WG10-FinalReport", "url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf", "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017." }, { "source_name": "CSRIC-WG1-FinalReport", "description": "CSRIC-WG1-FinalReport" }, { "source_name": "Positive-SS7", "url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf", "description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016." }, { "source_name": "Engel-SS7-2008", "url": "https://www.youtube.com/watch?v=q0n5ySqbfdI", "description": "Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016." }, { "source_name": "Engel-SS7", "url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf", "description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "CEL-38" } ], "x_mitre_deprecated": false, "revoked": true, "description": "An adversary could exploit signaling system vulnerabilities to track the location of mobile devices. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport)", "modified": "2022-04-05T19:54:12.657Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Exploit SS7 to Track Device Location", "x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC-WG1-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "network-effects" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Without Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "created": "2020-04-28T14:35:37.309Z", "x_mitre_version": "2.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1575", "url": "https://attack.mitre.org/techniques/T1575" }, { "source_name": "Google NDK Getting Started", "url": "https://developer.android.com/ndk/guides", "description": "Google. (2019, December 27). Getting Started with the NDK. Retrieved April 28, 2020." }, { "source_name": "MITRE App Vetting Effectiveness", "url": "https://www.mitre.org/sites/default/files/publications/pr-16-4772-analyzing-effectiveness-mobile-app-vetting-tools-report.pdf", "description": "M. Peck, C. Northern. (2016, August 22). Analyzing the Effectiveness of App Vetting Tools in the Enterprise. Retrieved April 28, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may use Android’s Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions. Like system calls on a traditional desktop operating system, native code achieves execution on a lower level than normal Android SDK calls.\n\nThe NDK allows developers to write native code in C or C++ that is compiled directly to machine code, avoiding all intermediate languages and steps in compilation that higher level languages, like Java, typically have. The Java Native Interface (JNI) is the component that allows Java functions in the Android app to call functions in a native library.(Citation: Google NDK Getting Started)\n\nAdversaries may also choose to use native functions to execute malicious code since native actions are typically much more difficult to analyze than standard, non-native behaviors.(Citation: MITRE App Vetting Effectiveness)", "modified": "2022-04-08T15:46:24.495Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Native API", "x_mitre_detection": "This is abuse of standard OS-level APIs and are therefore typically undetectable to the end user.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "execution" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7", "created": "2018-10-17T00:14:20.652Z", "x_mitre_version": "1.2", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1476", "url": "https://attack.mitre.org/techniques/T1476" }, { "source_name": "IBTimes-ThirdParty", "url": "https://www.ibtimes.co.uk/danger-lurks-third-party-android-app-stores-1544861", "description": "A Prasad. (2016, February 19). Danger lurks in third-party Android app stores. Retrieved November 8, 2018." }, { "source_name": "TrendMicro-RootingMalware", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/", "description": "Jordan Pan. (2016, February 10). User Beware: Rooting Malware Found in 3rd Party App Stores. Retrieved November 8, 2018." }, { "source_name": "android-trojan-steals-paypal-2fa", "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/", "description": "Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019." }, { "source_name": "TrendMicro-FlappyBird", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/flappy-bird-and-third-party-app-stores/", "description": "Veo Zhang. (2014, February 18). Flappy Bird and Third-Party App Stores. Retrieved November 8, 2018." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "AUT-9" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "ECO-13" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "ECO-21" } ], "x_mitre_deprecated": true, "revoked": false, "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.\n\nDelivery methods for the malicious application include:\n\n* [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) - Including the mobile app package as an attachment to an email message.\n* [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.\n* Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.(Citation: IBTimes-ThirdParty)(Citation: TrendMicro-RootingMalware)(Citation: TrendMicro-FlappyBird)\n\nSome Android malware comes with functionality to install additional applications, either automatically or when the adversary instructs it to.(Citation: android-trojan-steals-paypal-2fa)", "modified": "2022-04-06T15:41:16.863Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Deliver Malicious App via Other Means", "x_mitre_detection": "* An EMM/MDM or mobile threat defense solution may be able to identify the presence of apps installed from sources other than an authorized app store. \n* An EMM/MDM or mobile threat defense solution may be able to identify Android devices configured to allow apps to be installed from \"Unknown Sources\".\n* Enterprise email security solutions can identify the presence of Android or iOS application packages within email messages.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067", "created": "2017-10-25T14:48:07.827Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1469", "url": "https://attack.mitre.org/techniques/T1469" }, { "source_name": "Honan-Hacking", "url": "https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/", "description": "Mat Honan. (2012, August 6). How Apple and Amazon Security Flaws Led to My Epic Hacking. Retrieved December 29, 2016." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "ECO-5" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "EMM-7" } ], "x_mitre_deprecated": true, "revoked": false, "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an EMM console could use that access to wipe enrolled devices (Citation: Honan-Hacking).", "modified": "2022-04-06T15:54:28.187Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Remotely Wipe Data Without Authorization", "x_mitre_detection": "Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "remote-service-effects" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Without Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:57:14.285Z", "name": "Proxy Through Victim", "description": "Adversaries may use a compromised device as a proxy server to the Internet. By utilizing a proxy, adversaries hide the true IP address of their C2 server and associated infrastructure from the destination of the network traffic. This masquerades an adversary’s traffic as legitimate traffic originating from the compromised device, which can evade IP-based restrictions and alerts on certain services, such as bank accounts and social media websites.(Citation: Threat Fabric Exobot)\n\nThe most common type of proxy is a SOCKS proxy. It can typically be implemented using standard OS-level APIs and 3rd party libraries with no indication to the user. On Android, adversaries can use the `Proxy` API to programmatically establish a SOCKS proxy connection, or lower-level APIs to interact directly with raw sockets.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a", "created": "2020-11-30T14:26:07.728Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1604", "external_id": "T1604" }, { "source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de", "created": "2019-09-23T13:11:43.694Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1520", "url": "https://attack.mitre.org/techniques/T1520" }, { "source_name": "Data Driven Security DGA", "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/", "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019." }, { "source_name": "securelist rotexy 2018", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019." } ], "x_mitre_deprecated": false, "revoked": true, "description": "Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1520) (DGAs) to procedurally generate domain names for command and control communication, and other uses such as malicious application distribution.(Citation: securelist rotexy 2018)\n\nDGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.", "modified": "2022-04-05T20:03:46.788Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Domain Generation Algorithms", "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb", "created": "2017-10-25T14:48:20.727Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1435", "url": "https://attack.mitre.org/techniques/T1435" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-13" } ], "x_mitre_deprecated": false, "revoked": true, "description": "An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.", "modified": "2022-04-01T12:50:48.453Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Access Calendar Entries", "x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access calendar information through the device settings screen, and the user can choose to revoke the permissions.", "kill_chain_phases": [ { "phase_name": "collection", "kill_chain_name": "mitre-mobile-attack" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3", "created": "2017-10-25T14:48:21.354Z", "x_mitre_version": "1.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1465", "url": "https://attack.mitre.org/techniques/T1465" }, { "source_name": "Kaspersky-DarkHotel", "url": "https://blog.kaspersky.com/darkhotel-apt/6613/", "description": "Alex Drozhzhin. (2014, November 10). Darkhotel: a spy campaign in luxury Asian hotels. Retrieved December 24, 2016." }, { "source_name": "NIST-SP800153", "url": "http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-153.pdf", "description": "M. Souppaya and K. Scarfone. (2012, February). NIST SP 800-153 Guidelines for Securing Wireless Local Area Networks (WLANs). Retrieved December 24, 2016." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-0.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "LPN-0" } ], "x_mitre_deprecated": false, "revoked": true, "description": "An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication(Citation: NIST-SP800153)(Citation: Kaspersky-DarkHotel).", "modified": "2022-04-06T15:51:11.938Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Rogue Wi-Fi Access Points", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "network-effects" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Without Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:54:25.564Z", "name": "Foreground Persistence", "description": "Adversaries may abuse Android's `startForeground()` API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope.(Citation: Android-SensorsOverview) Applications can retain sensor access by running in the foreground, using Android’s `startForeground()` API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user.(Citation: Android-ForegroundServices)\n\nMalicious applications may abuse the `startForeground()` API method to continue running in the foreground, while presenting a notification to the user pretending to be a genuine application. This would allow unhindered access to the device’s sensors, assuming permission has been previously granted.(Citation: BlackHat Sutter Android Foreground 2019)\n\nMalicious applications may also abuse the `startForeground()` API to inform the Android system that the user is actively interacting with the application, thus preventing it from being killed by the low memory killer.(Citation: TrendMicro-Yellow Camera)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" } ], "x_mitre_contributors": [ "Lorin Wu, Trend Micro" ], "x_mitre_deprecated": false, "x_mitre_detection": "Users can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong. Applications could be vetted for their use of the `startForeground()` API, and could be further scrutinized if usage is found.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "created": "2019-11-19T17:32:20.373Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1541", "external_id": "T1541" }, { "source_name": "Android-SensorsOverview", "description": "Google. (n.d.). Sensors Overview. Retrieved November 19, 2019.", "url": "https://developer.android.com/guide/topics/sensors/sensors_overview#sensors-practices" }, { "source_name": "Android-ForegroundServices", "description": "Google. (n.d.). Services overview. Retrieved November 19, 2019.", "url": "https://developer.android.com/guide/components/services.html#Foreground" }, { "source_name": "TrendMicro-Yellow Camera", "description": "Song Wang. (2019, October 18). Fake Photo Beautification Apps on Google Play can Read SMS Verification Code to Trigger Wireless Application Protocol (WAP)/Carrier Billing. Retrieved November 19, 2019.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/fake-photo-beautification-apps-on-google-play-can-read-sms-verification-code-to-trigger-wireless-application-protocol-wap-carrier-billing/" }, { "source_name": "BlackHat Sutter Android Foreground 2019", "description": "Thomas Sutter. (2019, December). Simple Spyware Androids Invisible Foreground Services and How to (Ab)use Them. Retrieved December 26, 2019.", "url": "https://i.blackhat.com/eu-19/Thursday/eu-19-Sutter-Simple-Spyware-Androids-Invisible-Foreground-Services-And-How-To-Abuse-Them.pdf" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html", "external_id": "APP-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "created": "2017-10-25T14:48:23.233Z", "x_mitre_version": "2.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1458", "url": "https://attack.mitre.org/techniques/T1458" }, { "source_name": "Krebs-JuiceJacking", "url": "http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/", "description": "Brian Krebs. (2011, August 17). Beware of Juice-Jacking. Retrieved December 23, 2016." }, { "source_name": "GoogleProjectZero-OATmeal", "url": "https://googleprojectzero.blogspot.com/2018/09/oatmeal-on-universal-cereal-bus.html", "description": "Jann Horn. (2018, September 10). OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB. Retrieved September 18, 2018." }, { "source_name": "Lau-Mactans", "url": "https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf", "description": "Lau et al.. (2013). Mactans: Injecting Malware Into iOS Devices Via Malicious Chargers. Retrieved December 23, 2016." }, { "source_name": "Computerworld-iPhoneCracking", "url": "https://www.computerworld.com/article/3268729/apple-ios/two-vendors-now-sell-iphone-cracking-technology-and-police-are-buying.html", "description": "Lucas Mearian. (2018, May 9). Two vendors now sell iPhone cracking technology – and police are buying. Retrieved September 21, 2018." }, { "source_name": "IBM-NexusUSB", "url": "https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/", "description": "Roee Hay. (2017, January 5). Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes. Retrieved January 11, 2017." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "PHY-1" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "PHY-2" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-6.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "STA-6" } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may move onto devices by exploiting or copying malware to devices connected via USB. In the case of Lateral Movement, adversaries may utilize the physical connection of a device to a compromised or malicious charging station or PC to bypass application store requirements and install malicious applications directly.(Citation: Lau-Mactans) In the case of Initial Access, adversaries may attempt to exploit the device via the connection to gain access to data stored on the device.(Citation: Krebs-JuiceJacking) Examples of this include: \n \n* Exploiting insecure bootloaders in a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.(Citation: IBM-NexusUSB) \n* Exploiting weakly-enforced security boundaries in Android devices such as the Google Pixel 2 over USB.(Citation: GoogleProjectZero-OATmeal) \n* Products from Cellebrite and Grayshift purportedly that can exploit some iOS devices using physical access to the data port to unlock the passcode.(Citation: Computerworld-iPhoneCracking) ", "modified": "2022-04-08T15:53:11.864Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Replication Through Removable Media", "x_mitre_detection": "", "kill_chain_phases": [ { "phase_name": "initial-access", "kill_chain_name": "mitre-mobile-attack" }, { "phase_name": "lateral-movement", "kill_chain_name": "mitre-mobile-attack" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-16T13:31:29.924Z", "name": "Audio Capture", "description": "Adversaries may capture audio to collect information by leveraging standard operating system APIs of a mobile device. Examples of audio information adversaries may target include user conversations, surroundings, phone calls, or other sensitive information. \n\n \n\nAndroid and iOS, by default, require that applications request device microphone access from the user. \n\n \n\nOn Android devices, applications must hold the `RECORD_AUDIO` permission to access the microphone or the `CAPTURE_AUDIO_OUTPUT` permission to access audio output. Because Android does not allow third-party applications to hold the `CAPTURE_AUDIO_OUTPUT` permission by default, only privileged applications, such as those distributed by Google or the device vendor, can access audio output.(Citation: Android Permissions) However, adversaries may be able to gain this access after successfully elevating their privileges. With the `CAPTURE_AUDIO_OUTPUT` permission, adversaries may pass the `MediaRecorder.AudioSource.VOICE_CALL` constant to `MediaRecorder.setAudioOutput`, allowing capture of both voice call uplink and downlink.(Citation: Manifest.permission) \n\n \n\nOn iOS devices, applications must include the `NSMicrophoneUsageDescription` key in their `Info.plist` file to access the microphone.(Citation: Requesting Auth-Media Capture)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_deprecated": false, "x_mitre_detection": "In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)\n\n\nIn Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators)\n \n\nAndroid applications using the `RECORD_AUDIO` permission and iOS applications using `RequestRecordPermission` should be carefully reviewed and monitored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized. \n\n \n\nIn both Android (6.0 and up) and iOS, users can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary. ", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "3.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "created": "2017-10-25T14:48:12.913Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1429", "external_id": "T1429" }, { "source_name": "Manifest.permission", "description": "Android Developers. (2022, March 17). Voice Call. Retrieved April 1, 2022.", "url": "https://developer.android.com/reference/android/media/MediaRecorder.AudioSource#VOICE_CALL" }, { "source_name": "Requesting Auth-Media Capture", "description": "Apple Developers. (n.d.). Requesting Authorization for Media Capture on iOS. Retrieved April 1, 2022.", "url": "https://developer.apple.com/documentation/avfoundation/cameras_and_media_capture/requesting_authorization_for_media_capture_on_ios" }, { "source_name": "Android Permissions", "description": "Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021.", "url": "https://developer.android.com/reference/android/Manifest.permission" }, { "source_name": "Android Privacy Indicators", "description": "Google. (n.d.). Privacy Indicators. Retrieved April 20, 2022.", "url": "https://source.android.com/devices/tech/config/privacy-indicators" }, { "source_name": "iOS Mic Spyware", "description": "ZecOps Research Team. (2021, November 4). How iOS Malware Can Spy on Users Silently. Retrieved April 1, 2022.", "url": "https://blog.zecops.com/research/how-ios-malware-can-spy-on-users-silently/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html", "external_id": "APP-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:59:46.686Z", "name": "Hijack Execution Flow", "description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur over time. \n\nThere are many ways an adversary may hijack the flow of execution. A primary way is by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs or resources, such as file directories, could also be poisoned to include malicious payloads.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", "created": "2022-03-30T14:49:18.650Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1625", "external_id": "T1625" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", "external_id": "APP-27" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:41:18.389Z", "name": "Unix Shell", "description": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken. \n\nUnix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems. \n\nAdversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence. \n\nIf the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "execution" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Command-line activities can potentially be detected through Mobile Threat Defense integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\n\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "created": "2022-03-30T13:59:50.479Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1623/001", "external_id": "T1623.001" }, { "source_name": "Samsung Knox Mobile Threat Defense", "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.", "url": "https://partner.samsungknox.com/mtd" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673", "created": "2017-10-25T14:48:33.158Z", "x_mitre_version": "1.2", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1437", "url": "https://attack.mitre.org/techniques/T1437" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-29" } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the mobile device, and often the results of those commands, will be embedded within the protocol traffic between the mobile device and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS.", "modified": "2022-04-19T20:03:51.831Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Application Layer Protocol", "x_mitre_detection": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior.", "kill_chain_phases": [ { "phase_name": "command-and-control", "kill_chain_name": "mitre-mobile-attack" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "id": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2", "type": "attack-pattern", "created": "2017-10-25T14:48:11.861Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1431", "external_id": "T1431" } ], "modified": "2018-10-17T01:05:10.699Z", "name": "App Delivered via Web Download", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false }, { "modified": "2023-03-20T18:21:59.494Z", "name": "Download New Code at Runtime", "description": "Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with [Execution Guardrails](https://attack.mitre.org/techniques/T1627) techniques, detecting malicious code downloaded after installation could be difficult.\n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView’s `JavascriptInterface` capability. \n\nOn iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. (Citation: FireEye-JSPatch) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Existing network infrastructure may detect network calls to known malicious domains or the transfer of malicious payloads over the network. Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious. Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities). Unfortunately, this is only a partial mitigation, as additional scrutiny would still need to be applied to applications that use these techniques. These techniques are often used without malicious intent, and applications may employ other techniques to hide their use of these techniques.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.4", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "created": "2017-10-25T14:48:14.460Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1407", "external_id": "T1407" }, { "source_name": "FireEye-JSPatch", "description": "Jing Xie, Zhaofeng Chen, Jimmy Su. (2016, January 27). HOT OR NOT? THE BENEFITS AND RISKS OF IOS REMOTE HOT PATCHING. Retrieved December 9, 2016.", "url": "https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html", "external_id": "APP-20" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a", "created": "2017-10-25T14:48:21.023Z", "x_mitre_version": "1.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1468", "url": "https://attack.mitre.org/techniques/T1468" }, { "source_name": "Krebs-Location", "url": "https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/", "description": "Brian Krebs. (2018, May 17). Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site. Retrieved November 8, 2018." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "ECO-5" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "EMM-7" } ], "x_mitre_deprecated": false, "revoked": true, "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.(Citation: Krebs-Location)", "modified": "2022-04-05T19:40:25.068Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Remotely Track Device Without Authorization", "x_mitre_detection": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "remote-service-effects" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Without Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:51:04.432Z", "name": "System Checks", "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behavior after checking for the presence of artifacts indicative of a virtual environment or sandbox. If the adversary detects a virtual environment, they may alter their malware’s behavior to disengage from the victim or conceal the core functions of the implant. They may also search for virtualization artifacts before dropping secondary or additional payloads. \n\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nHardware checks, such as the presence of motion sensors, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "created": "2022-03-30T17:53:35.582Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1633/001", "external_id": "T1633.001" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:53:16.029Z", "name": "Stored Application Data", "description": "Adversaries may try to access and collect application data resident on the device. Adversaries often target popular applications, such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019) \n\n \n\nDue to mobile OS sandboxing, this technique is only possible in three scenarios: \n\n \n\n* An application stores files in unprotected external storage \n* An application stores files in its internal storage directory with insecure permissions (e.g. 777) \n* The adversary gains root permissions on the device ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "3.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "created": "2017-10-25T14:48:15.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1409", "external_id": "T1409" }, { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.", "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html", "external_id": "AUT-0" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:57:43.022Z", "name": "Screen Capture", "description": "Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android `MediaProjectionManager` (generally requires the device user to grant consent).(Citation: Fortinet screencap July 2019)(Citation: Android ScreenCap1 2019) Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.(Citation: Lookout-Monokle) An adversary with root access or Android Debug Bridge (adb) access could call the Android `screencap` or `screenrecord` commands.(Citation: Android ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_deprecated": false, "x_mitre_detection": "The user can view a list of apps with accessibility service privileges in the device settings. Application vetting services can look for the use of the Android `MediaProjectionManager` class, applying extra scrutiny to applications that use the class.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.3", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "created": "2019-08-08T18:34:14.178Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1513", "external_id": "T1513" }, { "source_name": "Android ScreenCap2 2019", "description": "Android Developers. (n.d.). Android Debug Bridge (adb). Retrieved August 8, 2019.", "url": "https://developer.android.com/studio/command-line/adb" }, { "source_name": "Android ScreenCap1 2019", "description": "Android Developers. (n.d.). Android MediaProjectionManager. Retrieved August 8, 2019.", "url": "https://developer.android.com/reference/android/media/projection/MediaProjectionManager" }, { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" }, { "source_name": "Fortinet screencap July 2019", "description": "Dario Durando. (2019, July 3). BianLian: A New Wave Emerges. Retrieved September 4, 2019.", "url": "https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html" }, { "source_name": "Trend Micro ScreenCap July 2015", "description": "Zhang, V. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved August 8, 2019.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-40.html", "external_id": "APP-40" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:44:26.748Z", "name": "Transmitted Data Manipulation", "description": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nManipulation may be possible over a network connection or between system processes where there is an opportunity to deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.\n\nOne method to achieve [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) is by modifying the contents of the device clipboard. Malicious applications may monitor clipboard activity through the `ClipboardManager.OnPrimaryClipChangedListener` interface on Android to determine when clipboard contents have changed. Listening to clipboard activity, reading clipboard contents, and modifying clipboard contents requires no explicit application permissions and can be performed by applications running in the background. However, this behavior has changed with the release of Android 10.\n\nAdversaries may use [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) to replace text prior to being pasted. For example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.\n\n[Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) was seen within the Android/Clipper.C trojan. This sample was detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", "created": "2022-04-06T13:39:39.779Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1641/001", "external_id": "T1641.001" }, { "source_name": "ESET Clipboard Modification February 2019", "description": "ESET. (2019, February 11). First clipper malware discovered on Google Play.. Retrieved July 26, 2019.", "url": "https://www.eset.com/uk/about/newsroom/press-releases/first-clipper-malware-discovered-on-google-play-1/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69", "created": "2017-10-25T14:48:07.460Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1452", "url": "https://attack.mitre.org/techniques/T1452" } ], "x_mitre_deprecated": false, "revoked": true, "description": "An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).", "modified": "2022-04-06T13:57:24.726Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Manipulate App Store Rankings or Ratings", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58", "created": "2017-10-25T14:48:32.008Z", "x_mitre_version": "2.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1416", "url": "https://attack.mitre.org/techniques/T1416" }, { "source_name": "Trend Micro iOS URL Hijacking", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/", "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020." }, { "source_name": "IETF-PKCE", "url": "https://tools.ietf.org/html/rfc7636", "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016." } ], "x_mitre_deprecated": false, "revoked": true, "description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.\n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)", "modified": "2022-04-01T15:17:21.508Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "URI Hijacking", "x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T15:28:54.940Z", "name": "Compromise Software Dependencies and Development Tools", "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Grace-Advertisement)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", "created": "2022-03-28T19:31:51.978Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1474/001", "external_id": "T1474.001" }, { "source_name": "Grace-Advertisement", "description": "M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved December 22, 2016.", "url": "https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/WISEC12_ADRISK.pdf" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html", "external_id": "APP-6" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-0.html", "external_id": "SPC-0" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-3.html", "external_id": "SPC-3" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-9.html", "external_id": "SPC-9" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-10.html", "external_id": "SPC-10" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-15.html", "external_id": "SPC-15" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b", "created": "2019-10-02T14:46:43.632Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1523", "url": "https://attack.mitre.org/techniques/T1523" }, { "source_name": "Sophos Anti-emulation", "url": "https://news.sophos.com/en-us/2017/04/13/android-malware-anti-emulation-techniques/", "description": "Chen Yu et al. . (2017, April 13). Android malware anti-emulation techniques. Retrieved October 2, 2019." }, { "source_name": "Xiao-ZergHelper", "url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/", "description": "Claud Xiao. (2016, February 21). Pirated iOS App Store’s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016." }, { "source_name": "Cyberscoop Evade Analysis January 2019", "url": "https://www.cyberscoop.com/android-malware-motion-detection-trend-micro/", "description": "Jeff Stone. (2019, January 18). Sneaky motion-detection feature found on Android malware. Retrieved October 2, 2019." }, { "source_name": "ThreatFabric Cerberus", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", "description": "ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019." }, { "source_name": "Github Anti-emulator", "url": "https://github.com/strazzere/anti-emulator", "description": "Tim Strazzere. (n.d.). Android Anti-Emulator. Retrieved October 2, 2019." }, { "source_name": "Talos Gustuff Apr 2019", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019." } ], "x_mitre_deprecated": false, "revoked": true, "description": "Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. \nAdversaries may use many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments.(Citation: Talos Gustuff Apr 2019)(Citation: ThreatFabric Cerberus)(Citation: Xiao-ZergHelper)(Citation: Cyberscoop Evade Analysis January 2019) Adversaries may access `android.os.SystemProperties` via Java reflection to obtain specific system information.(Citation: Github Anti-emulator) Standard values such as phone number, IMEI, IMSI, device IDs, and device drivers may be checked against default signatures of common sandboxes.(Citation: Sophos Anti-emulation)\n", "modified": "2022-03-30T17:54:56.590Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Evade Analysis Environment", "x_mitre_detection": "Analysis Environment avoidance capabilities can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:43:49.443Z", "name": "URI Hijacking", "description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data. \n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If an adversary were to register for a URI that was already in use by a genuine application, the adversary may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the adversary to gain access to protected resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_contributors": [ "Leo Zhang, Trend Micro", "Steven Du, Trend Micro" ], "x_mitre_deprecated": false, "x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it. When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "created": "2022-04-01T15:15:35.640Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1635/001", "external_id": "T1635.001" }, { "source_name": "Android-AppLinks", "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.", "url": "https://developer.android.com/training/app-links/index.html" }, { "source_name": "Trend Micro iOS URL Hijacking", "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/" }, { "source_name": "IETF-PKCE", "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.", "url": "https://tools.ietf.org/html/rfc7636" }, { "source_name": "IETF-OAuthNativeApps", "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.", "url": "https://tools.ietf.org/html/rfc8252" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:52:52.097Z", "name": "Subvert Trust Controls", "description": "Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted applications. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features include: an app being allowed to run because it is signed by a valid code signing certificate; an OS prompt alerting the user that an app came from an untrusted source; or getting an indication that you are about to connect to an untrusted site. The method adversaries use will depend on the specific mechanism they seek to subvert. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_deprecated": false, "x_mitre_detection": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications. \n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", "created": "2022-03-30T18:05:46.795Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1632", "external_id": "T1632" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html", "external_id": "STA-7" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44", "created": "2017-10-25T14:48:11.116Z", "x_mitre_version": "1.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1433", "url": "https://attack.mitre.org/techniques/T1433" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-13" } ], "x_mitre_deprecated": false, "revoked": true, "description": "On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.\n\nOn iOS, applications do not have access to the call log, so privilege escalation would be required in order to access the data.", "modified": "2022-04-01T13:14:43.174Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Access Call Log", "x_mitre_detection": "On Android 6.0 and up, the user can view which applications have permission to access call log information through the device settings screen, and the user can choose to revoke the permissions.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31", "created": "2020-09-11T15:04:14.532Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1581", "url": "https://attack.mitre.org/techniques/T1581" }, { "source_name": "Lookout eSurv", "url": "https://blog.lookout.com/esurv-research", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020." }, { "source_name": "Apple Location Services", "url": "https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services", "description": "Apple. (n.d.). Requesting Authorization for Location Services. Retrieved September 11, 2020." }, { "source_name": "Android Geofencing API", "url": "https://developer.android.com/training/location/geofencing", "description": "Google. (n.d.). Create and monitor geofences. Retrieved September 11, 2020." } ], "x_mitre_deprecated": false, "revoked": true, "description": "Adversaries may use a device’s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device’s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements.\n\nOne method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1581) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1581) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include “Allow only while using the app”, which will effectively prohibit background location collection.(Citation: Android Geofencing API)\n\nSimilarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call `requestWhenInUseAuthorization()` or `requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device’s location, including one-time use and only when the application is running in the foreground.(Citation: Apple Location Services)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific [Input Prompt](https://attack.mitre.org/techniques/T1411)s and/or advertisements.", "modified": "2022-03-30T20:43:31.244Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Geofencing", "x_mitre_detection": "Users can review which applications have location permissions in the operating system’s settings menu. On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483", "created": "2017-10-25T14:48:29.774Z", "x_mitre_version": "2.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1401", "url": "https://attack.mitre.org/techniques/T1401" }, { "source_name": "Android DeviceAdminInfo", "url": "https://developer.android.com/reference/android/app/admin/DeviceAdminInfo", "description": "Google. (n.d.). DeviceAdminInfo. Retrieved November 20, 2020." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-22" } ], "x_mitre_deprecated": false, "revoked": true, "description": "Adversaries may request device administrator permissions to perform malicious actions.\n\nBy abusing the device administration API, adversaries can perform several nefarious actions, such as resetting the device’s password for [Device Lockout](https://attack.mitre.org/techniques/T1446), factory resetting the device to [Delete Device Data](https://attack.mitre.org/techniques/T1447) and any traces of the malware, disabling all of the device’s cameras, or make it more difficult to uninstall the app.(Citation: Android DeviceAdminInfo)\n\nDevice administrators must be approved by the user at runtime, with a system popup showing which of the actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.", "modified": "2022-04-01T16:52:36.965Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Device Administrator Permissions", "x_mitre_detection": "Users can see when an app requests device administrator permissions. Users can also view which apps have device administrator permissions in the settings menu.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "privilege-escalation" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "id": "attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16", "type": "attack-pattern", "created": "2017-10-25T14:48:34.830Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1443", "external_id": "T1443" } ], "modified": "2018-10-17T01:05:10.701Z", "name": "Remotely Install Application", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false }, { "modified": "2023-03-20T18:45:39.362Z", "name": "Keychain", "description": "Adversaries may collect keychain data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials. \n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, adversaries can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices. Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "created": "2022-04-01T15:01:32.169Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1634/001", "external_id": "T1634.001" }, { "source_name": "Apple Keychain Services", "description": "Apple, Inc.. (n.d.). Keychain Services. Retrieved June 24, 2020.", "url": "https://developer.apple.com/documentation/security/keychain_services" }, { "source_name": "Elcomsoft Decrypt Keychain", "description": "V. Katalov. (2018, December 18). Six Ways to Decrypt iPhone Passwords from the Keychain. Retrieved June 24, 2020.", "url": "https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html", "external_id": "AUT-11" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6", "created": "2017-10-25T14:48:29.092Z", "x_mitre_version": "1.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1403", "url": "https://attack.mitre.org/techniques/T1403" }, { "source_name": "Sabanal-ART", "url": "https://www.blackhat.com/docs/asia-15/materials/asia-15-Sabanal-Hiding-Behind-ART-wp.pdf", "description": "Paul Sabanal. (2015). Hiding Behind ART. Retrieved December 21, 2016." } ], "x_mitre_deprecated": true, "revoked": false, "description": "ART (the Android Runtime) compiles optimized code on the device itself to improve performance. An adversary may be able to use escalated privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.(Citation: Sabanal-ART)", "modified": "2022-04-06T15:46:29.338Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Modify Cached Executable Code", "x_mitre_detection": "Modifications to cached executable code can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversary behavior.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05", "type": "attack-pattern", "created": "2017-10-25T14:48:28.456Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "external_id": "T1419", "url": "https://attack.mitre.org/techniques/T1419", "source_name": "mitre-mobile-attack" }, { "url": "https://developer.android.com/reference/android/os/Build", "description": "Android. (n.d.). Build. Retrieved December 21, 2016.", "source_name": "Android-Build" } ], "modified": "2019-10-16T13:24:48.936Z", "name": "Device Type Discovery", "description": "On Android, device type information is accessible to apps through the android.os.Build class (Citation: Android-Build). Device information could be used to target privilege escalation exploits.", "kill_chain_phases": [ { "phase_name": "discovery", "kill_chain_name": "mitre-mobile-attack" } ], "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_is_subtechnique": false }, { "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5", "created": "2020-05-04T13:49:34.706Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1576", "url": "https://attack.mitre.org/techniques/T1576" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-43" } ], "x_mitre_deprecated": false, "revoked": true, "description": "Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by:\n\n* Abusing device owner permissions to perform silent uninstallation using device owner API calls.\n* Abusing root permissions to delete files from the filesystem.\n* Abusing the accessibility service. This requires an intent be sent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.", "modified": "2022-03-30T19:34:09.371Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Uninstall Malicious Application", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f", "created": "2017-10-25T14:48:31.694Z", "x_mitre_version": "2.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1447", "url": "https://attack.mitre.org/techniques/T1447" }, { "source_name": "Android DevicePolicyManager 2019", "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html", "description": "Android Developers. (n.d.). DevicePolicyManager. Retrieved September 22, 2019." } ], "x_mitre_deprecated": false, "revoked": true, "description": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. (Citation: Android DevicePolicyManager 2019)\n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.", "modified": "2022-03-30T19:50:37.727Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Delete Device Data", "x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274", "created": "2017-10-25T14:48:09.082Z", "x_mitre_version": "2.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1448", "url": "https://attack.mitre.org/techniques/T1448" }, { "source_name": "Google Bread", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020." }, { "source_name": "AndroidSecurity2014", "url": "https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2014_Report_Final.pdf", "description": "Google. (2014). Android Security 2014 Year in Review. Retrieved December 12, 2016." } ], "x_mitre_deprecated": false, "revoked": true, "description": "A malicious app may trigger fraudulent charges on a victim’s carrier billing statement in several different ways, including SMS toll fraud and SMS shortcodes that make purchases.\n\nPerforming SMS fraud relies heavily upon the fact that, when making SMS purchases, the carriers perform device verification but not user verification. This allows adversaries to make purchases on behalf of the user, with little or no user interaction.(Citation: Google Bread)\n\nMalicious applications may also perform toll billing, which occurs when carriers provide payment endpoints over a web page. The application connects to the web page over cellular data so the carrier can directly verify the number, or the application must retrieve a code sent via SMS and enter it into the web page.(Citation: Google Bread)\n\nOn iOS, apps cannot send SMS messages.\n\nOn Android, apps must hold the `SEND_SMS` permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).", "modified": "2022-04-06T13:57:38.841Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Carrier Billing Fraud", "x_mitre_detection": "Starting with Android 4.2 the user is prompted and must provide consent before applications can send SMS messages to premium numbers.(Citation: AndroidSecurity2014)\n\nOn Android 6.0 and up, the user can view which applications have permission to send SMS messages through the device settings screen, and the user can choose to revoke the permissions.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e", "type": "attack-pattern", "created": "2017-10-25T14:48:17.533Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1415", "external_id": "T1415" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "AUT-10" }, { "source_name": "FireEye-Masque2", "description": "Hui Xue, Tao Wei, Yulong Zhang, Song Jin, Zhaofeng Chen. (2015, February 19). IOS MASQUE ATTACK REVIVED: BYPASSING PROMPT FOR TRUST AND APP URL SCHEME HIJACKING. Retrieved December 21, 2016.", "url": "https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html" }, { "source_name": "Dhanjani-URLScheme", "description": "Nitesh Dhanjani. (2010, November 8). Insecure Handling of URL Schemes in Apple’s iOS. Retrieved December 21, 2016.", "url": "http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html" }, { "source_name": "IETF-PKCE", "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.", "url": "https://tools.ietf.org/html/rfc7636" }, { "source_name": "MobileIron-XARA", "description": "Michael T. Raggo. (2015, October 1). iOS URL Scheme Hijacking (XARA) Attack Analysis and Countermeasures. Retrieved December 21, 2016.", "url": "https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures" } ], "modified": "2020-10-23T15:05:40.674Z", "name": "URL Scheme Hijacking", "description": "An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application(Citation: FireEye-Masque2)(Citation: Dhanjani-URLScheme). This technique, for example, could be used to capture OAuth authorization codes(Citation: IETF-PKCE) or to phish user credentials(Citation: MobileIron-XARA).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_is_subtechnique": false }, { "modified": "2023-03-16T13:32:55.266Z", "name": "Bidirectional Communication", "description": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", "created": "2022-04-06T15:47:06.071Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1481/002", "external_id": "T1481.002" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:51:58.228Z", "name": "Non-Standard Port", "description": "Adversaries may generate network traffic using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection. Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "created": "2019-08-01T13:44:09.368Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1509", "external_id": "T1509" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T15:32:37.109Z", "name": "Compromise Software Supply Chain", "description": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services can detect malicious code in applications. System partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "created": "2022-03-28T19:25:17.596Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1474/003", "external_id": "T1474.003" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-4.html", "external_id": "SPC-4" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-11.html", "external_id": "SPC-11" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-12.html", "external_id": "SPC-12" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-18.html", "external_id": "SPC-18" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-20.html", "external_id": "SPC-20" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T15:56:04.790Z", "name": "Dead Drop Resolver", "description": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. \n\n \n\nUse of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed). ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. ", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", "created": "2022-04-06T15:41:03.914Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1481/001", "external_id": "T1481.001" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:50:21.363Z", "name": "Location Tracking", "description": "Adversaries may track a device’s physical location through use of standard operating system APIs via malicious or exploited applications on the compromised device. \n\n \n\nOn Android, applications holding the `ACCESS_COAURSE_LOCATION` or `ACCESS_FINE_LOCATION` permissions provide access to the device’s physical location. On Android 10 and up, declaration of the `ACCESS_BACKGROUND_LOCATION` permission in an application’s manifest will allow applications to request location access even when the application is running in the background.(Citation: Android Request Location Permissions) Some adversaries have utilized integration of Baidu map services to retrieve geographical location once the location access permissions had been obtained.(Citation: PaloAlto-SpyDealer)(Citation: Palo Alto HenBox) \n\n \n\nOn iOS, applications must include the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file depending on the extent of requested access to location information.(Citation: Apple Requesting Authorization for Location Services) On iOS 8.0 and up, applications call `requestWhenInUseAuthorization()` to request access to location information when the application is in use or `requestAlwaysAuthorization()` to request access to location information regardless of whether the application is in use. With elevated privileges, an adversary may be able to access location data without explicit user consent with the `com.apple.locationd.preauthorized` entitlement key.(Citation: Google Project Zero Insomnia)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Android applications requesting the `ACCESS_COARSE_LOCATION`, `ACCESS_FINE_LOCATION`, or `ACCESS_BACKGROUND_LOCATION` permissions and iOS applications including the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file could be scrutinized during the application vetting process. \n\n \n\nIn both Android (6.0 and up) and iOS, users can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary. ", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "created": "2017-10-25T14:48:12.267Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1430", "external_id": "T1430" }, { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" }, { "source_name": "Android Request Location Permissions", "description": "Android Developers. (2022, March 24). Request Location Permissions. Retrieved April 1, 2022.", "url": "https://developer.android.com/training/location/permissions" }, { "source_name": "Apple Requesting Authorization for Location Services", "description": "Apple Developers. (n.d.). Requesting Authorization for Location Services. Retrieved April 1, 2022.", "url": "https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services" }, { "source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" }, { "source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-24.html", "external_id": "APP-24" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T15:56:34.537Z", "name": "Device Administrator Permissions", "description": "Adversaries may abuse Android’s device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device’s password for [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642), factory resetting the device for [File Deletion](https://attack.mitre.org/techniques/T1630/002) and to delete any traces of the malware, disabling all the device’s cameras, or to make it more difficult to uninstall the app.\n\nDevice administrators must be approved by the user at runtime, with a system popup showing which actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "privilege-escalation" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Users are prompted for approval when an application requests device administrator permissions. Users can see which applications are registered as device administrators in the device settings. Application vetting services can check for the string `BIND_DEVICE_ADMIN` in the application’s manifest. This indicates it can prompt the user for device administrator permissions.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "created": "2022-04-01T15:59:05.830Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1626/001", "external_id": "T1626.001" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", "external_id": "APP-22" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1", "created": "2017-10-25T14:48:17.886Z", "x_mitre_version": "2.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1446", "url": "https://attack.mitre.org/techniques/T1446" }, { "source_name": "Xiao-KeyRaider", "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/", "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016." }, { "source_name": "Android resetPassword", "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String,%20int)", "description": "Google. (n.d.). DevicePolicyManager. Retrieved October 1, 2019." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-28" } ], "x_mitre_deprecated": false, "revoked": true, "description": "An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to prevent the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device’s passcode.(Citation: Android resetPassword)\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)", "modified": "2022-04-01T18:49:51.039Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Device Lockout", "x_mitre_detection": "On Android, users can review which applications have device administrator access in the device settings, and revoke permission where appropriate.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:58:20.113Z", "name": "Remote Device Management Services", "description": "An adversary may use access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM)/mobile device management (MDM) server console to track the location of mobile devices managed by the service.(Citation: Krebs-Location) ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used. ", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", "created": "2022-04-05T19:37:15.984Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1430/001", "external_id": "T1430.001" }, { "source_name": "Krebs-Location", "description": "Brian Krebs. (2018, May 17). Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site. Retrieved November 8, 2018.", "url": "https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html", "external_id": "ECO-5" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html", "external_id": "EMM-7" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--a0464539-e1b7-4455-a355-12495987c300", "created": "2017-10-25T14:48:13.625Z", "x_mitre_version": "1.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1427", "url": "https://attack.mitre.org/techniques/T1427" }, { "source_name": "ArsTechnica-PoisonTap", "url": "http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/", "description": "Dan Goodin. (2016, November 16). Meet PoisonTap, the $5 tool that ransacks password-protected computers. Retrieved December 22, 2016." }, { "source_name": "Wang-ExploitingUSB", "url": "http://dl.acm.org/citation.cfm?id=1920314", "description": "Z. Wang and A. Stavrou. (2010, December 6-10). Exploiting smart-phone USB connectivity for fun and profit. Retrieved December 22, 2016." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "PHY-2" } ], "x_mitre_deprecated": true, "revoked": false, "description": "With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC(Citation: Wang-ExploitingUSB)(Citation: ArsTechnica-PoisonTap) This technique has been demonstrated on Android. We are unaware of any demonstrations on iOS.", "modified": "2022-04-06T15:39:14.695Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Attack PC via USB Connection", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "lateral-movement" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "id": "attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881", "type": "attack-pattern", "created": "2017-10-25T14:48:05.928Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1441", "external_id": "T1441" } ], "modified": "2018-10-17T01:05:10.700Z", "name": "Stolen Developer Credentials or Signing Keys", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed", "created": "2017-10-25T14:48:22.296Z", "x_mitre_version": "1.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1467", "url": "https://attack.mitre.org/techniques/T1467" }, { "source_name": "Computerworld-Femtocell", "url": "http://www.computerworld.com/article/2484538/cybercrime-hacking/researchers-exploit-cellular-tech-flaws-to-intercept-phone-calls.html", "description": "Jaikumar Vijayan. (2013, August 1). Researchers exploit cellular tech flaws to intercept phone calls. Retrieved December 24, 2016." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "CEL-7" } ], "x_mitre_deprecated": false, "revoked": true, "description": "An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. A compromised cellular femtocell could be used to carry out this technique(Citation: Computerworld-Femtocell).", "modified": "2022-04-06T15:52:41.578Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Rogue Cellular Base Station", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "network-effects" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Without Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_contributors": [ "Karim Hasanen, @_karimhasanen" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5", "created": "2017-10-25T14:48:20.329Z", "x_mitre_version": "1.2", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1451", "url": "https://attack.mitre.org/techniques/T1451" }, { "source_name": "Betanews-Simswap", "url": "http://betanews.com/2016/02/12/everything-you-need-to-know-about-sim-swap-scams/", "description": "Alex Cambell. (2016, February 12). Everything you need to know about SIM swap scams. Retrieved December 12, 2016." }, { "source_name": "Krebs-SimSwap", "url": "https://krebsonsecurity.com/2018/05/t-mobile-employee-made-unauthorized-sim-swap-to-steal-instagram-account/", "description": "Brian Krebs. (2018, May 18). T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account. Retrieved November 8, 2018." }, { "source_name": "TechCrunch-SimSwap", "url": "https://techcrunch.com/2017/08/23/i-was-hacked/", "description": "John Biggs. (2017, August 23). I was hacked. Retrieved November 8, 2018." }, { "source_name": "Motherboard-Simswap2", "url": "https://motherboard.vice.com/en_us/article/3ky5a5/criminals-recruit-telecom-employees-sim-swapping-port-out-scam", "description": "Lorenzo Franceschi-Bicchierai. (2018, August 3). How Criminals Recruit Telecom Employees to Help Them Hijack SIM Cards. Retrieved August 11, 2018." }, { "source_name": "Motherboard-Simswap1", "url": "https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin", "description": "Lorenzo Franceschi-Bicchierai. (2018, July 17). The SIM Hijackers. Retrieved August 11, 2018." }, { "source_name": "Guardian-Simswap", "url": "https://www.theguardian.com/money/2016/apr/16/sim-swap-fraud-mobile-banking-fraudsters", "description": "Miles Brignall. (2016, April 16). Sim-swap fraud claims another mobile banking victim. Retrieved December 12, 2016." }, { "source_name": "NYGov-Simswap", "url": "http://www.dos.ny.gov/consumerprotection/scams/att-sim.html", "description": "New York Department of State. (2016, February 12). AT&T SIM-Card Switch Scam. Retrieved August 23, 2016." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-22.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "STA-22" } ], "x_mitre_deprecated": true, "revoked": false, "description": "An adversary could convince the mobile network operator (e.g. through social networking, forged identification, or insider attacks performed by trusted employees) to issue a new SIM card and associate it with an existing phone number and account.(Citation: NYGov-Simswap)(Citation: Motherboard-Simswap2) The adversary could then obtain SMS messages or hijack phone calls intended for someone else.(Citation: Betanews-Simswap)\n\nOne use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts, as many online services allow account password resets by sending an authentication code over SMS to a phone number associated with the account.(Citation: Guardian-Simswap)(Citation: Motherboard-Simswap1)(Citation: Krebs-SimSwap)(Citation: TechCrunch-SimSwap)", "modified": "2022-04-06T15:53:54.872Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "SIM Card Swap", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "network-effects" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Without Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:44:36.145Z", "name": "Input Capture", "description": "Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Keylogging](https://attack.mitre.org/techniques/T1417/001)) or rely on deceiving the user into providing input into what they believe to be a genuine application prompt (e.g. [GUI Input Capture](https://attack.mitre.org/techniques/T1417/002)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay. Users can view and manage installed third-party keyboards.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.3", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "created": "2017-10-25T14:48:27.660Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1417", "external_id": "T1417" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", "external_id": "APP-31" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-13.html", "external_id": "AUT-13" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:57:17.144Z", "name": "Generate Traffic from Victim", "description": "Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well.\n\nIf done via SMS messages, Android apps must hold the `SEND_SMS` permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_deprecated": false, "x_mitre_detection": "On Android, users can review which applications can use premium SMS features in the “Special access” page within application settings. Application vetting services can detect when applications request the `SEND_SMS` permission, which should be infrequently used.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "created": "2022-04-06T13:55:14.390Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1643", "external_id": "T1643" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-16.html", "external_id": "APP-16" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:18:29.556Z", "name": "Disguise Root/Jailbreak Indicators", "description": "An adversary could use knowledge of the techniques used by security software to evade detection.(Citation: Brodie)(Citation: Tan) For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection.(Citation: Rastogi)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Mobile security products can use attestation to detect compromised devices.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9", "created": "2022-04-08T16:29:30.087Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1630/003", "external_id": "T1630.003" }, { "source_name": "Brodie", "description": "Daniel Brodie. (2016). Practical Attacks against Mobile Device Management (MDM). Retrieved December 21, 2016.", "url": "https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf" }, { "source_name": "Rastogi", "description": "Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016.", "url": "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf" }, { "source_name": "Tan", "description": "Vincent Tan. (2016, August). BAD FOR ENTERPRISE: ATTACKING BYOD ENTERPRISE MOBILE SECURITY SOLUTIONS. Retrieved February 4, 2017.", "url": "http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html", "external_id": "EMM-5" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_contributors": [ "Alex Hinchliffe, Palo Alto Networks" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f", "created": "2017-10-25T14:48:35.247Z", "x_mitre_version": "2.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1444", "url": "https://attack.mitre.org/techniques/T1444" }, { "source_name": "Palo Alto HenBox", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." }, { "source_name": "Zhou", "url": "http://ieeexplore.ieee.org/document/6234407", "description": "Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-31" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-14" } ], "x_mitre_deprecated": true, "revoked": false, "description": "An adversary could distribute developed malware by masquerading the malware as a legitimate application. This can be done in two different ways: by embedding the malware in a legitimate application, or by pretending to be a legitimate application.\n\nEmbedding the malware in a legitimate application is done by downloading the application, disassembling it, adding the malicious code, and then re-assembling it.(Citation: Zhou) The app would appear to be the original app, but would contain additional malicious functionality. The adversary could then publish the malicious application to app stores or use another delivery method.\n\nPretending to be a legitimate application relies heavily on lack of scrutinization by the user. Typically, a malicious app pretending to be a legitimate one will have many similar details as the legitimate one, such as name, icon, and description.(Citation: Palo Alto HenBox)\n\nMalicious applications may also masquerade as legitimate applications when requesting access to the accessibility service in order to appear as legitimate to the user, increasing the likelihood that the access will be granted.", "modified": "2022-04-06T15:45:52.558Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Masquerade as Legitimate Application", "x_mitre_detection": "Users can detect malicious applications by watching for nuances that could indicate the application is not the intended one when it is being installed.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "id": "attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431", "type": "attack-pattern", "created": "2017-10-25T14:48:19.682Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1457", "external_id": "T1457" } ], "modified": "2018-10-17T01:05:10.703Z", "name": "Malicious Media Content", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false }, { "modified": "2023-03-16T18:28:28.234Z", "name": "Calendar Entries", "description": "Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the `EventKit` framework. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Calendar Entries](https://attack.mitre.org/techniques/T1636/001) without the user’s knowledge or approval. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_deprecated": false, "x_mitre_detection": "On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. Application vetting services could look for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR` in an Android application’s manifest, or `NSCalendarsUsageDescription` in an iOS application’s `Info.plist` file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it. ", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "type": "attack-pattern", "id": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "created": "2022-04-01T12:48:27.021Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1636/001", "external_id": "T1636.001" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "external_id": "APP-13" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:52:24.758Z", "name": "File Deletion", "description": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location.(Citation: Android DevicePolicyManager 2019) \n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. Application vetting services could be extra scrutinous of applications that request device administrator permissions.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "created": "2022-03-30T19:36:09.691Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1630/002", "external_id": "T1630.002" }, { "source_name": "Android DevicePolicyManager 2019", "description": "Android Developers. (n.d.). DevicePolicyManager. Retrieved September 22, 2019.", "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:39:10.201Z", "name": "Device Lockout", "description": "An adversary may seek to inhibit user interaction by locking the legitimate user out of the device. This is typically accomplished by requesting device administrator permissions and then locking the screen using `DevicePolicyManager.lockNow()`. Other novel techniques for locking the user out of the device have been observed, such as showing a persistent overlay, using carefully crafted “call” notification screens, and locking HTML pages in the foreground. These techniques can be very difficult to get around, and typically require booting the device into safe mode to uninstall the malware.(Citation: Microsoft MalLockerB)(Citation: Talos GPlayed)(Citation: securelist rotexy 2018)\n\nPrior to Android 7, device administrators were able to reset the device lock passcode to prevent the user from unlocking the device. The release of Android 7 introduced updates that only allow device or profile owners (e.g. MDMs) to reset the device’s passcode.(Citation: Android resetPassword)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Users can view a list of device administrators in device settings and revoke permission where appropriate. Applications that request device administrator permissions should be scrutinized further for malicious behavior.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", "created": "2022-04-01T18:49:03.892Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1629/002", "external_id": "T1629.002" }, { "source_name": "Microsoft MalLockerB", "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.", "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/" }, { "source_name": "Android resetPassword", "description": "Google. (n.d.). DevicePolicyManager. Retrieved October 1, 2019.", "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String,%20int)" }, { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" }, { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", "external_id": "APP-22" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:48:39.936Z", "name": "Keylogging", "description": "Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them.\n\nSome methods of keylogging include:\n\n* Masquerading as a legitimate third-party keyboard to record user keystrokes.(Citation: Zeltser-Keyboard) On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.\n* Abusing accessibility features. On Android, adversaries may abuse accessibility features to record keystrokes by registering an `AccessibilityService` class, overriding the `onAccessibilityEvent` method, and listening for the `AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED` event type. The event object passed into the function will contain the data that the user typed. \n*Additional methods of keylogging may be possible if root access is available. \n", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_deprecated": false, "x_mitre_detection": "On Android, users can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, users can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. \n\nApplication vetting services can look for applications requesting the `android.permission.BIND_ACCESSIBILITY_SERVICE` permission in a service declaration. On Android, users can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "created": "2022-04-05T19:45:03.000Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1417/001", "external_id": "T1417.001" }, { "source_name": "Zeltser-Keyboard", "description": "Lenny Zeltser. (2016, July 30). Security of Third-Party Keyboard Apps on Mobile Devices. Retrieved December 21, 2016.", "url": "https://zeltser.com/third-party-keyboards-security/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-13.html", "external_id": "AUT-13" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:58:57.001Z", "name": "SMS Control", "description": "Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.\n\nThis can be accomplished by requesting the `RECEIVE_SMS` or `SEND_SMS` permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the `SMS_DELIVER` broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device.(Citation: SMS KitKat)(Citation: Android SmsProvider)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Users can view the default SMS handler in system settings.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "created": "2020-09-11T15:14:33.730Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1582", "external_id": "T1582" }, { "source_name": "Android SmsProvider", "description": "Google. (n.d.). SmsProvider.java. Retrieved September 11, 2020.", "url": "https://android.googlesource.com/platform/packages/providers/TelephonyProvider/+/7e7c274/src/com/android/providers/telephony/SmsProvider.java" }, { "source_name": "SMS KitKat", "description": "S.Main, D. Braun. (2013, October 14). Getting Your SMS Apps Ready for KitKat. Retrieved September 11, 2020.", "url": "https://android-developers.googleblog.com/2013/10/getting-your-sms-apps-ready-for-kitkat.html" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-16.html", "external_id": "APP-16" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-41.html", "external_id": "CEL-41" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6", "created": "2017-10-25T14:48:14.003Z", "x_mitre_version": "1.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1408", "url": "https://attack.mitre.org/techniques/T1408" }, { "source_name": "Brodie", "url": "https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf", "description": "Daniel Brodie. (2016). Practical Attacks against Mobile Device Management (MDM). Retrieved December 21, 2016." }, { "source_name": "Rastogi", "url": "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf", "description": "Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016." }, { "source_name": "Tan", "url": "http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions", "description": "Vincent Tan. (2016, August). BAD FOR ENTERPRISE: ATTACKING BYOD ENTERPRISE MOBILE SECURITY SOLUTIONS. Retrieved February 4, 2017." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "EMM-5" } ], "x_mitre_deprecated": false, "revoked": true, "description": "An adversary could use knowledge of the techniques used by security software to evade detection(Citation: Brodie)(Citation: Tan). For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection(Citation: Rastogi).", "modified": "2022-04-08T16:29:55.321Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Disguise Root/Jailbreak Indicators", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a", "created": "2017-10-25T14:48:27.307Z", "x_mitre_version": "2.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1438", "url": "https://attack.mitre.org/techniques/T1438" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-30" } ], "x_mitre_deprecated": false, "revoked": true, "description": "Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a standard Internet connection, the exfiltration may occur, for example, via Bluetooth, or another radio frequency (RF) channel. \n\nAdversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network. ", "modified": "2022-04-18T19:46:02.529Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Exfiltration Over Other Network Medium", "x_mitre_detection": "Exfiltration over other network mediums can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "kill_chain_phases": [ { "phase_name": "command-and-control", "kill_chain_name": "mitre-mobile-attack" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "id": "attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b", "type": "attack-pattern", "created": "2017-10-25T14:48:26.473Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1440", "external_id": "T1440" } ], "modified": "2018-10-17T01:05:10.700Z", "name": "Detect App Analysis Environment", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false }, { "modified": "2023-03-20T18:55:54.442Z", "name": "Process Injection", "description": "Adversaries may inject code into processes in order to evade process-based defenses or even elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. \n\nBoth Android and iOS have no legitimate way to achieve process injection. The only way this is possible is by abusing existing root access or exploiting a vulnerability.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "privilege-escalation" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could look for misuse of dynamic libraries.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff", "created": "2022-03-30T18:50:43.393Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1631", "external_id": "T1631" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "id": "attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc", "type": "attack-pattern", "created": "2017-10-25T14:48:24.905Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1462", "external_id": "T1462" } ], "modified": "2018-10-17T01:05:10.704Z", "name": "Malicious Software Development Tools", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "created": "2022-04-05T20:14:17.310Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1521.001", "url": "https://attack.mitre.org/techniques/T1521/001" } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, Blowfish, and RC4.", "modified": "2022-04-05T20:14:17.310Z", "name": "Symmetric Cryptography", "x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.", "kill_chain_phases": [ { "phase_name": "command-and-control", "kill_chain_name": "mitre-mobile-attack" } ], "x_mitre_is_subtechnique": true, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69", "created": "2017-10-25T14:48:30.127Z", "x_mitre_version": "2.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1402", "url": "https://attack.mitre.org/techniques/T1402" }, { "source_name": "Android Changes to System Broadcasts", "url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts", "description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020." } ], "x_mitre_deprecated": false, "revoked": true, "description": "An intent is a message passed between Android application or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received.\n\nFurther, malicious applications can register for intents broadcasted by other applications in addition to the Android system itself. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications.\n\nIn Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts)", "modified": "2022-03-30T14:43:46.019Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Broadcast Receivers", "x_mitre_detection": "Broadcast intent receivers are part of standard OS-level APIs and are therefore typically undetectable to the end user.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "execution" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T15:21:12.603Z", "name": "Compromise Hardware Supply Chain", "description": "Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Integrity checking mechanisms can potentially detect unauthorized hardware modifications.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da", "created": "2022-03-28T19:30:15.556Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1474/002", "external_id": "T1474.002" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-1.html", "external_id": "SPC-1" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-2.html", "external_id": "SPC-2" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-4.html", "external_id": "SPC-4" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-5.html", "external_id": "SPC-5" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-6.html", "external_id": "SPC-6" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-7.html", "external_id": "SPC-7" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-8.html", "external_id": "SPC-8" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-13.html", "external_id": "SPC-13" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-16.html", "external_id": "SPC-16" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-17.html", "external_id": "SPC-17" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-21.html", "external_id": "SPC-21" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-16T18:33:20.042Z", "name": "Clipboard Data", "description": "Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard. For example, passwords being copied and pasted from a password manager application could be captured by a malicious application installed on the device.(Citation: Fahl-Clipboard) \n\n \n\nOn Android, applications can use the `ClipboardManager.OnPrimaryClipChangedListener()` API to register as a listener and monitor the clipboard for changes. However, starting in Android 10, this can only be used if the application is in the foreground, or is set as the device’s default input method editor (IME).(Citation: Github Capture Clipboard 2019)(Citation: Android 10 Privacy Changes) \n\n \n\nOn iOS, this can be accomplished by accessing the `UIPasteboard.general.string` field. However, starting in iOS 14, upon accessing the clipboard, the user will be shown a system notification if the accessed text originated in a different application. For example, if the user copies the text of an iMessage from the Messages application, the notification will read “application_name has pasted from Messages” when the text was pasted in a different application.(Citation: UIPPasteboard)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could detect usage of standard clipboard APIs.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "3.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", "created": "2017-10-25T14:48:19.996Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1414", "external_id": "T1414" }, { "source_name": "Android 10 Privacy Changes", "description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019.", "url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data" }, { "source_name": "UIPPasteboard", "description": "Apple Developer. (n.d.). UIPasteboard. Retrieved April 1, 2022.", "url": "https://developer.apple.com/documentation/uikit/uipasteboard" }, { "source_name": "Fahl-Clipboard", "description": "Fahl, S, et al.. (2013). Hey, You, Get Off of My Clipboard. Retrieved August 27, 2019.", "url": "http://saschafahl.de/static/paper/pwmanagers2013.pdf" }, { "source_name": "Github Capture Clipboard 2019", "description": "Pearce, G. (, January). Retrieved August 8, 2019.", "url": "https://github.com/grepx/android-clipboard-security" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-35.html", "external_id": "APP-35" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0", "created": "2017-10-25T14:48:30.890Z", "x_mitre_version": "1.2", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1400", "url": "https://attack.mitre.org/techniques/T1400" }, { "source_name": "Android-VerifiedBoot", "url": "https://source.android.com/security/verifiedboot/", "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016." }, { "source_name": "Apple-iOSSecurityGuide", "url": "https://www.apple.com/business/docs/iOS_Security_Guide.pdf", "description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-27" } ], "x_mitre_deprecated": false, "revoked": true, "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.", "modified": "2022-03-30T15:18:21.242Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Modify System Partition", "x_mitre_detection": "Android devices with the Verified Boot capability (Citation: Android-VerifiedBoot) perform cryptographic checks of the integrity of the system partition.\n\nThe Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices.\n\nSamsung KNOX also provides a remote attestation capability on supported Samsung Android devices.\n\niOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.(Citation: Apple-iOSSecurityGuide)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T15:55:32.497Z", "name": "Data Manipulation", "description": "Adversaries may insert, delete, or alter data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nThe type of modification and the impact it will have depends on the target application, process, and the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could look for use of standard APIs (e.g. the clipboard API) that could indicate data manipulation is occurring.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36", "created": "2022-04-06T13:34:46.021Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1641", "external_id": "T1641" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:58:33.873Z", "name": "SMS Messages", "description": "Adversaries may utilize standard operating system APIs to gather SMS messages. On Android, this can be accomplished using the SMS Content Provider. iOS provides no standard API to access SMS messages. \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [SMS Messages](https://attack.mitre.org/techniques/T1636/004) without the user’s knowledge or approval. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_deprecated": false, "x_mitre_detection": "On Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_SMS` in an Android application’s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. ", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "type": "attack-pattern", "id": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "created": "2022-04-01T13:25:30.923Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1636/004", "external_id": "T1636.004" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "external_id": "APP-13" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:37:13.730Z", "name": "Web Service", "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. \n\n \n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed). \n\n ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380", "created": "2019-02-01T17:29:43.503Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1481", "external_id": "T1481" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:46:08.412Z", "name": "System Runtime API Hijacking", "description": "Adversaries may execute their own malicious payloads by hijacking the way an operating system run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. \n\n\nOn Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary’s code will be executed every time the overwritten API function is called by an app on the infected device.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation. ", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "created": "2022-03-30T15:07:51.646Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1625/001", "external_id": "T1625.001" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", "external_id": "APP-27" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "id": "attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f", "type": "attack-pattern", "created": "2017-10-25T14:48:07.149Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1455", "external_id": "T1455" } ], "modified": "2018-10-17T01:05:10.702Z", "name": "Exploit Baseband Vulnerability", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false }, { "modified": "2023-03-20T15:45:44.103Z", "name": "Credentials from Password Store", "description": "Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices. Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", "created": "2022-04-01T14:55:10.494Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1634", "external_id": "T1634" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html", "external_id": "AUT-11" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "Hooking", "description": "Adversaries may utilize hooking to hide the presence of artifacts associated with their behaviors to evade detection. Hooking can be used to modify return values or data structures of system APIs and function calls. This process typically involves using 3rd party root frameworks, such as Xposed or Magisk, with either a system exploit or pre-existing root access. By including custom modules for root frameworks, adversaries can hook system APIs and alter the return value and/or system data structures to alter functionality/visibility of various aspects of the system.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_detection": "Hooking can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_contributors": [ "Jörg Abraham, EclecticIQ" ], "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea", "created": "2021-09-24T14:47:34.182Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1617", "external_id": "T1617" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_is_subtechnique": false }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2", "created": "2018-10-17T00:14:20.652Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1478", "url": "https://attack.mitre.org/techniques/T1478" }, { "source_name": "Talos-MDM", "url": "https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html", "description": "Warren Mercer, Paul Rascagneres, Andrew Williams. (2018, July 12). Advanced Mobile Malware Campaign in India uses Malicious MDM. Retrieved September 24, 2018." }, { "source_name": "Symantec-iOSProfile", "url": "https://www.symantec.com/connect/blogs/malicious-profiles-sleeping-giant-ios-security", "description": "Yair Amit. (2013, March 12). Malicious Profiles – The Sleeping Giant of iOS Security. Retrieved September 24, 2018." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "STA-7" } ], "x_mitre_deprecated": false, "revoked": true, "description": "An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings. The device user may be tricked into installing the configuration settings through social engineering techniques (Citation: Symantec-iOSProfile).\n\nFor example, an unwanted Certification Authority (CA) certificate could be placed in the device's trusted certificate store, increasing the device's susceptibility to adversary-in-the-middle network attacks seeking to eavesdrop on or manipulate the device's network communication ([Eavesdrop on Insecure Network Communication](https://attack.mitre.org/techniques/T1439) and [Manipulate Device Communication](https://attack.mitre.org/techniques/T1463)).\n\nOn iOS, malicious Configuration Profiles could contain unwanted Certification Authority (CA) certificates or other insecure settings such as unwanted proxy server or VPN settings to route the device's network traffic through an adversary's system. The device could also potentially be enrolled into a malicious Mobile Device Management (MDM) system (Citation: Talos-MDM).", "modified": "2022-03-30T18:18:15.903Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Install Insecure or Malicious Configuration", "x_mitre_detection": "On Android, the user can view trusted CA certificates through the device settings and look for unexpected certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies.\n\nOn iOS, the user can view installed Configuration Profiles through the device settings and look for unexpected profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.", "kill_chain_phases": [ { "phase_name": "defense-evasion", "kill_chain_name": "mitre-mobile-attack" }, { "phase_name": "initial-access", "kill_chain_name": "mitre-mobile-attack" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:53:35.087Z", "name": "File and Directory Discovery", "description": "Adversaries may enumerate files and directories or search in specific device locations for desired information within a filesystem. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) during automated discovery to shape follow-on behaviors, including deciding if the adversary should fully infect the target and/or attempt specific actions. \n\nOn Android, Linux file permissions and SELinux policies typically stringently restrict what can be accessed by apps without taking advantage of a privilege escalation exploit. The contents of the external storage directory are generally visible, which could present concerns if sensitive data is inappropriately stored there. iOS's security architecture generally restricts the ability to perform any type of [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) without use of escalated privileges. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery" } ], "x_mitre_deprecated": false, "x_mitre_detection": "On Android, users are presented with a permissions popup when an application requests access to external device storage.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "created": "2017-10-25T14:48:21.965Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1420", "external_id": "T1420" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-41.html", "external_id": "STA-41" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "created": "2017-10-25T14:48:32.328Z", "x_mitre_version": "3.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1406", "url": "https://attack.mitre.org/techniques/T1406" }, { "source_name": "Microsoft MalLockerB", "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/", "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-21" } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n \nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.(Citation: Microsoft MalLockerB) ", "modified": "2022-04-06T12:36:31.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Obfuscated Files or Information", "x_mitre_detection": "Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "Input Injection", "description": "A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs.\n\n[Input Injection](https://attack.mitre.org/techniques/T1516) can be achieved using any of the following methods:\n\n* Mimicking user clicks on the screen, for example to steal money from a user's PayPal account.(Citation: android-trojan-steals-paypal-2fa)\n* Injecting global actions, such as `GLOBAL_ACTION_BACK` (programatically mimicking a physical back button press), to trigger actions on behalf of the user.(Citation: Talos Gustuff Apr 2019)\n* Inserting input into text fields on behalf of the user. This method is used legitimately to auto-fill text fields by applications such as password managers.(Citation: bitwarden autofill logins)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_detection": "Users can view applications that have registered accessibility services in the accessibility menu within the device settings.", "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.1", "x_mitre_contributors": [ "Lukáš Štefanko, ESET" ], "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "created": "2019-09-15T15:26:22.356Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1516", "external_id": "T1516" }, { "source_name": "android-trojan-steals-paypal-2fa", "description": "Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.", "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/" }, { "source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" }, { "source_name": "bitwarden autofill logins", "description": "Bitwarden. (n.d.). Auto-fill logins on Android . Retrieved September 15, 2019.", "url": "https://help.bitwarden.com/article/auto-fill-android/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_is_subtechnique": false }, { "modified": "2023-03-20T18:51:23.109Z", "name": "Network Denial of Service", "description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth that services rely on, or by jamming the signal going to or coming from devices. \n\nA Network DoS will occur when an adversary is able to jam radio signals (e.g. Wi-Fi, cellular, GPS) around a device to prevent it from communicating. For example, to jam cellular signal, an adversary may use a handheld signal jammer, which jam devices within the jammer’s operational range.(Citation: NIST-SP800187) \n\nUsage of cellular jamming has been documented in several arrests reported in the news.(Citation: CNET-Celljammer)(Citation: NYTimes-Celljam)(Citation: Digitaltrends-Celljam)(Citation: Arstechnica-Celljam)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Unexpected loss of radio signal could indicate that a device is being actively jammed.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.3", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d", "created": "2017-10-25T14:48:25.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1464", "external_id": "T1464" }, { "source_name": "CNET-Celljammer", "description": "Chris Matyszczyk. (2014, May 1). FCC: Man used device to jam drivers' cell phone calls. Retrieved November 8, 2018.", "url": "https://www.cnet.com/news/man-put-cell-phone-jammer-in-car-to-stop-driver-calls-fcc-says/" }, { "source_name": "Arstechnica-Celljam", "description": "David Kravets. (2016, March 10). Man accused of jamming passengers’ cell phones on Chicago subway. Retrieved November 8, 2018.", "url": "https://arstechnica.com/tech-policy/2016/03/man-accused-of-jamming-passengers-cell-phones-on-chicago-subway/" }, { "source_name": "NIST-SP800187", "description": "Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017.", "url": "http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf" }, { "source_name": "NYTimes-Celljam", "description": "Matt Richtel. (2007, November 4). Devices Enforce Silence of Cellphones, Illegally. Retrieved November 8, 2018.", "url": "https://www.nytimes.com/2007/11/04/technology/04jammer.html" }, { "source_name": "Digitaltrends-Celljam", "description": "Trevor Mogg. (2015, June 5). Florida teacher punished after signal-jamming his students’ cell phones. Retrieved November 8, 2018.", "url": "https://www.digitaltrends.com/mobile/florida-teacher-punished-after-signal-jamming-his-students-cell-phones/" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html", "external_id": "CEL-7" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-8.html", "external_id": "CEL-8" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-5.html", "external_id": "LPN-5" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/gps-threats/GPS-0.html", "external_id": "GPS-0" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", "name": "Compromise Application Executable", "description": "Adversaries may modify applications installed on a device to establish persistent access to a victim. These malicious modifications can be used to make legitimate applications carry out adversary tasks when these applications are in use.\n\nThere are multiple ways an adversary can inject malicious code into applications. One method is by taking advantages of device vulnerabilities, the most well-known being Janus, an Android vulnerability that allows adversaries to add extra bytes to APK (application) and DEX (executable) files without affecting the file's signature. By being able to add arbitrary bytes to valid applications, attackers can seamlessly inject code into genuine executables without the user's knowledge.(Citation: Guardsquare Janus)\n\nAdversaries may also rebuild applications to include malicious modifications. This can be achieved by decompiling the genuine application, merging it with the malicious code, and recompiling it.(Citation: CheckPoint Agent Smith)\n\nAdversaries may also take action to conceal modifications to application executables and bypass user consent. These actions include altering modifications to appear as an update or exploiting vulnerabilities that allow activities of the malicious application to run inside a system application.(Citation: CheckPoint Agent Smith)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" } ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_detection": "This behavior is seamless to the user and is typically undetectable.", "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c", "created": "2020-05-07T15:24:49.068Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1577", "external_id": "T1577" }, { "source_name": "Guardsquare Janus", "description": "Guarsquare. (2017, November 13). New Android vulnerability allows attackers to modify apps without affecting their signatures. Retrieved May 7, 2020.", "url": "https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures" }, { "source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_is_subtechnique": false }, { "modified": "2023-03-20T18:43:46.177Z", "name": "Event Triggered Execution", "description": "Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. \n\nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via automatically and repeatedly executing malicious code. After gaining access to a victim’s system, adversaries may create or modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14", "created": "2022-03-30T14:25:41.721Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1624", "external_id": "T1624" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:50:32.697Z", "name": "System Network Configuration Discovery", "description": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of operating systems they access or through information discovery of remote systems. \n\n \n\nOn Android, details of onboard network interfaces are accessible to apps through the `java.net.NetworkInterface` class.(Citation: NetworkInterface) Previously, the Android `TelephonyManager` class could be used to gather telephony-related device identifiers, information such as the IMSI, IMEI, and phone number. However, starting with Android 10, only preloaded, carrier, the default SMS, or device and profile owner applications can access the telephony-related device identifiers.(Citation: TelephonyManager) \n\n \n\nOn iOS, gathering network configuration information is not possible without root access. \n\n \n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.3", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "created": "2017-10-25T14:48:32.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1422", "external_id": "T1422" }, { "source_name": "NetworkInterface", "description": "Android. (n.d.). NetworkInterface. Retrieved December 21, 2016.", "url": "https://developer.android.com/reference/java/net/NetworkInterface.html" }, { "source_name": "TelephonyManager", "description": "Android. (n.d.). TelephonyManager. Retrieved December 21, 2016.", "url": "https://developer.android.com/reference/android/telephony/TelephonyManager.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63", "created": "2017-10-25T14:48:25.322Z", "x_mitre_version": "1.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1463", "url": "https://attack.mitre.org/techniques/T1463" }, { "source_name": "FireEye-SSL", "url": "https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html", "description": "Adrian Mettler, Yulong Zhang, Vishwanath Raman. (2014, August 20). SSL VULNERABILITIES: WHO LISTENS WHEN ANDROID APPLICATIONS TALK?. Retrieved December 24, 2016." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-1" } ], "x_mitre_deprecated": false, "revoked": true, "description": "If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to adversary-in-the-middle attacks (Citation: FireEye-SSL).", "modified": "2022-04-06T15:44:48.421Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Manipulate Device Communication", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "network-effects" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Without Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:38:27.848Z", "name": "Video Capture", "description": "An adversary can leverage a device’s cameras to gather information by capturing video recordings. Images may also be captured, potentially in specified intervals, in lieu of video files. \n\n \n\nMalware or scripts may interact with the device cameras through an available API provided by the operating system. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1513) due to use of the device’s cameras for video recording rather than capturing the victim’s screen. \n\n \n\nIn Android, an application must hold the `android.permission.CAMERA` permission to access the cameras. In iOS, applications must include the `NSCameraUsageDescription` key in the `Info.plist` file. In both cases, the user must grant permission to the requesting application to use the camera. If the device has been rooted or jailbroken, an adversary may be able to access the camera without knowledge of the user. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_deprecated": false, "x_mitre_detection": "The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions. During the vetting process, applications using the Android permission `android.permission.CAMERA`, or the iOS `NSCameraUsageDescription` plist entry could be given closer scrutiny. ", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "created": "2019-08-09T16:14:58.254Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1512", "external_id": "T1512" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html", "external_id": "APP-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:53:34.118Z", "name": "One-Way Communication", "description": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to a compromised system without receiving return output. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e", "created": "2022-04-06T15:52:07.711Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1481/003", "external_id": "T1481.003" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a", "created": "2018-10-17T00:14:20.652Z", "x_mitre_version": "1.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1475", "url": "https://attack.mitre.org/techniques/T1475" }, { "source_name": "Oberheide-Bouncer", "url": "https://jon.oberheide.org/files/summercon12-bouncer.pdf", "description": "Jon Oberheide and Charlie Miller. (2012). Dissecting the Android Bouncer. Retrieved December 12, 2016." }, { "source_name": "Oberheide-RemoteInstall", "url": "https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/", "description": "Jon Oberheide. (2010, June 25). Remote Kill and Install on Google Android. Retrieved December 12, 2016." }, { "source_name": "Percoco-Bouncer", "url": "https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH_US_12_Percoco_Adventures_in_Bouncerland_WP.pdf", "description": "Nicholas J. Percoco and Sean Schulte. (2012). Adventures in BouncerLand. Retrieved December 12, 2016." }, { "source_name": "Konoth", "url": "http://www.vvdveen.com/publications/BAndroid.pdf", "description": "Radhesh Krishnan Konoth, Victor van der Veen, and Herbert Bos. (n.d.). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Retrieved December 12, 2016." }, { "source_name": "Petsas", "url": "http://dl.acm.org/citation.cfm?id=2592796", "description": "Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, Sotiris Ioannidis. (2014, April). Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware. Retrieved December 12, 2016." }, { "source_name": "Wang", "url": "https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei", "description": "Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013, August). Jekyll on iOS: When Benign Apps Become Evil. Retrieved December 9, 2016." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-4.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "ECO-4" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "ECO-16" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-17.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "ECO-17" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-20" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-21" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-22.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "ECO-22" } ], "x_mitre_deprecated": true, "revoked": false, "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.\n\nApp stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses:\n\n* [Download New Code at Runtime](https://attack.mitre.org/techniques/T1407)\n* [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1406)\n\nAdversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. (Citation: Petsas) (Citation: Oberheide-Bouncer) (Citation: Percoco-Bouncer) (Citation: Wang)\n\nAdversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. (Citation: Oberheide-Bouncer)\n\nAdversaries may also use control of a target's Google account to use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account. (Citation: Oberheide-RemoteInstall) (Citation: Konoth) (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)", "modified": "2022-04-06T15:41:33.827Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Deliver Malicious App via Authorized App Store", "x_mitre_detection": "* An EMM/MDM or mobile threat defense solution can identify the presence of unwanted or known insecure or malicious apps on devices.\n* Developers can scan (or have a third party scan on their behalf) the app stores for presence of unauthorized apps that were submitted using the developer's identity.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T15:55:09.397Z", "name": "Data Encrypted for Impact", "description": "An adversary may encrypt files stored on a mobile device to prevent the user from accessing them. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "3.2", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4", "created": "2017-10-25T14:48:10.285Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1471", "external_id": "T1471" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html", "external_id": "APP-28" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:54:36.502Z", "name": "Prevent Application Removal", "description": "Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.\n\nAdversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Users can view a list of device administrators and applications that have registered accessibility services in device settings. Users can typically visually see when an action happens that they did not initiate and can subsequently review installed applications for any out of place or unknown ones. Applications that register an accessibility service or request device administrator permissions should be scrutinized further for malicious behavior.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "created": "2022-04-01T18:44:32.808Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1629/001", "external_id": "T1629.001" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", "external_id": "APP-22" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "created": "2017-10-25T14:48:33.574Z", "x_mitre_version": "2.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1421", "url": "https://attack.mitre.org/techniques/T1421" } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may attempt to get a listing of network connections to or from the compromised device they are currently accessing or from remote systems by querying for information over the network. \n\n \n\nThis is typically accomplished by utilizing device APIs to collect information about nearby networks, such as Wi-Fi, Bluetooth, and cellular tower connections. On Android, this can be done by querying the respective APIs: \n\n \n\n* `WifiInfo` for information about the current Wi-Fi connection, as well as nearby Wi-Fi networks. Querying the `WiFiInfo` API requires the application to hold the `ACCESS_FINE_LOCATION` permission. \n\n* `BluetoothAdapter` for information about Bluetooth devices, which also requires the application to hold several permissions granted by the user at runtime. \n\n* For Android versions prior to Q, applications can use the `TelephonyManager.getNeighboringCellInfo()` method. For Q and later, applications can use the `TelephonyManager.getAllCellInfo()` method. Both methods require the application hold the `ACCESS_FINE_LOCATION` permission.", "modified": "2022-03-31T16:31:12.821Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "System Network Connections Discovery", "x_mitre_detection": "System Network Connections Discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "kill_chain_phases": [ { "phase_name": "discovery", "kill_chain_name": "mitre-mobile-attack" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", "created": "2017-10-25T14:48:24.488Z", "x_mitre_version": "1.2", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1461", "url": "https://attack.mitre.org/techniques/T1461" }, { "source_name": "Wired-AndroidBypass", "url": "https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/", "description": "Andy Greenberg. (2015, September 15). Hack Brief: Emergency Number Hack Bypasses Android Lock Screens. Retrieved December 23, 2016." }, { "source_name": "Kaspersky-iOSBypass", "url": "https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/", "description": "Chris Brook. (2016, November 17). iOS 10 Passcode Bypass Can Access Photos, Contacts. Retrieved December 23, 2016." }, { "source_name": "TheSun-FaceID", "url": "https://www.thesun.co.uk/tech/5584082/iphone-x-face-unlock-tricked-broken/", "description": "Sean Keach. (2018, February 15). Brit mates BREAK Apple’s face unlock and vow to never buy iPhone again. Retrieved September 18, 2018." }, { "source_name": "SRLabs-Fingerprint", "url": "https://srlabs.de/bites/spoofing-fingerprints/", "description": "SRLabs. (n.d.). Fingerprints are not fit for secure device unlocking. Retrieved December 23, 2016." } ], "x_mitre_deprecated": false, "revoked": false, "description": "An adversary with physical access to a mobile device may seek to bypass the device’s lockscreen. Several methods exist to accomplish this, including:\n\n* Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device’s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device’s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID)\n* Unlock code bypass: An adversaries could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (“shoulder surfing”) the device owner’s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.\n* Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass)\n", "modified": "2022-04-19T15:36:12.312Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Lockscreen Bypass", "x_mitre_detection": "Users can see if someone is watching them type in their device passcode.", "kill_chain_phases": [ { "phase_name": "initial-access", "kill_chain_name": "mitre-mobile-attack" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--e083305c-49e7-4c87-aae8-9689213bffbe", "created": "2020-12-16T20:16:07.673Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1605", "url": "https://attack.mitre.org/techniques/T1605" } ], "x_mitre_deprecated": false, "revoked": true, "description": "Adversaries may use built-in command-line interfaces to interact with the device and execute commands. Android provides a bash shell that can be interacted with over the Android Debug Bridge (ADB) or programmatically using Java’s `Runtime` package. On iOS, adversaries can interact with the underlying runtime shell if the device has been jailbroken.\n\nIf the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.", "modified": "2022-03-30T14:00:45.099Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Command-Line Interface", "x_mitre_detection": "Command-Line Interface execution can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "execution" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T15:40:11.937Z", "name": "Contact List", "description": "Adversaries may utilize standard operating system APIs to gather contact list data. On Android, this can be accomplished using the Contacts Content Provider. On iOS, this can be accomplished using the `Contacts` framework. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Contact List](https://attack.mitre.org/techniques/T1636/003) without the user’s knowledge or approval. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_deprecated": false, "x_mitre_detection": "On both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_CONTACTS` in an Android application’s manifest, or `NSContactsUsageDescription` in an iOS application’s `Info.plist` file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "iOS", "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "created": "2022-04-01T13:17:52.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1636/003", "external_id": "T1636.003" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "external_id": "APP-13" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "created": "2019-10-10T15:12:42.790Z", "x_mitre_version": "1.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1533", "url": "https://attack.mitre.org/techniques/T1533" }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-41.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "STA-41" } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration. \n\n \n\nAccess to local system data, which includes information stored by the operating system, often requires escalated privileges. Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos. On Android, adversaries may also attempt to access files from external storage which may require additional storage-related permissions. \n\n ", "modified": "2022-04-01T16:53:27.576Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Data from Local System", "x_mitre_detection": "Accessing data from the local system can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-15T16:34:51.917Z", "name": "Account Access Removal", "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: credentials changed) to remove access to accounts. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could closely scrutinize applications that request Device Administrator permissions.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2", "created": "2022-04-06T13:29:47.590Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1640", "external_id": "T1640" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "created": "2017-10-25T14:48:19.265Z", "x_mitre_version": "1.2", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1426", "url": "https://attack.mitre.org/techniques/T1426" }, { "source_name": "Android-Build", "url": "https://developer.android.com/reference/android/os/Build", "description": "Android. (n.d.). Build. Retrieved December 21, 2016." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-12" } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may attempt to get detailed information about a device’s operating system and hardware, including versions, patches, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1426) during automated discovery to shape follow-on behaviors, including whether or not to fully infects the target and/or attempts specific actions. \n\n \n\nOn Android, much of this information is programmatically accessible to applications through the `android.os.Build` class. (Citation: Android-Build) iOS is much more restrictive with what information is visible to applications. Typically, applications will only be able to query the device model and which version of iOS it is running. ", "modified": "2022-04-11T19:21:34.776Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "System Information Discovery", "x_mitre_detection": "System information discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "kill_chain_phases": [ { "phase_name": "discovery", "kill_chain_name": "mitre-mobile-attack" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "id": "attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9", "type": "attack-pattern", "created": "2017-10-25T14:48:28.786Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1442", "external_id": "T1442" } ], "modified": "2018-10-17T01:05:10.701Z", "name": "Fake Developer Accounts", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false }, { "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb", "created": "2019-07-26T14:15:31.451Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1510", "url": "https://attack.mitre.org/techniques/T1510" }, { "source_name": "Android 10 Privacy Changes", "url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data", "description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019." }, { "source_name": "Dr.Webb Clipboard Modification origin August 2018", "url": "https://vms.drweb.com/virus/?i=17517750", "description": "Dr.Webb. (2018, August 8). Android.Clipper.1.origin. Retrieved July 26, 2019." }, { "source_name": "Dr.Webb Clipboard Modification origin2 August 2018", "url": "https://vms.drweb.com/virus/?i=17517761", "description": "Dr.Webb. (2018, August 8). Android.Clipper.2.origin. Retrieved July 26, 2019." }, { "source_name": "ESET Clipboard Modification February 2019", "url": "https://www.eset.com/uk/about/newsroom/press-releases/first-clipper-malware-discovered-on-google-play-1/", "description": "ESET. (2019, February 11). First clipper malware discovered on Google Play.. Retrieved July 26, 2019." }, { "source_name": "Welivesecurity Clipboard Modification February 2019", "url": "https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/", "description": "Lukáš Štefanko. (2019, February 8). First clipper malware discovered on Google Play. Retrieved July 26, 2019." }, { "source_name": "Syracuse Clipboard Modification 2014", "url": "http://www.cis.syr.edu/~wedu/Research/paper/clipboard_attack_dimva2014.pdf", "description": "Zhang, X; Du, W. (2014, January). Attacks on Android Clipboard. Retrieved July 26, 2019." } ], "x_mitre_deprecated": false, "revoked": true, "description": "Adversaries may abuse clipboard functionality to intercept and replace information in the Android device clipboard.(Citation: ESET Clipboard Modification February 2019)(Citation: Welivesecurity Clipboard Modification February 2019)(Citation: Syracuse Clipboard Modification 2014) Malicious applications may monitor the clipboard activity through the ClipboardManager.OnPrimaryClipChangedListener interface on Android to determine when the clipboard contents have changed.(Citation: Dr.Webb Clipboard Modification origin2 August 2018)(Citation: Dr.Webb Clipboard Modification origin August 2018) Listening to clipboard activity, reading the clipboard contents, and modifying the clipboard contents requires no explicit application permissions and can be performed by applications running in the background, however, this behavior has changed with the release of Android 10.(Citation: Android 10 Privacy Changes)\n\nAdversaries may use [Clipboard Modification](https://attack.mitre.org/techniques/T1510) to replace text prior to being pasted, for example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.\n\n[Clipboard Modification](https://attack.mitre.org/techniques/T1510) had been seen within the Android/Clipper.C trojan. This sample had been detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)", "modified": "2022-04-06T13:41:17.512Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Clipboard Modification", "x_mitre_detection": "Modifying clipboard content can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "created": "2019-10-10T15:00:44.181Z", "x_mitre_version": "2.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1532", "url": "https://attack.mitre.org/techniques/T1532" } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing data can help to obfuscate its contents and minimize use of network resources. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. \n\n \n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, programming library, or custom algorithm. ", "modified": "2022-04-01T15:01:02.140Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Archive Collected Data", "x_mitre_detection": "Many encryption mechanisms are built into standard application-accessible APIs and are therefore undetectable to the end user.", "kill_chain_phases": [ { "phase_name": "collection", "kill_chain_name": "mitre-mobile-attack" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:58:14.240Z", "name": "Geofencing", "description": "Adversaries may use a device’s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)\n\n[Geofencing](https://attack.mitre.org/techniques/T1627/001) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device’s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements. \n\nOne method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1627/001) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1627/001) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include \"Allow only while using the app\", which will effectively prohibit background location collection. \n\nSimilarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call `requestWhenInUseAuthorization()` or `requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device’s location, including one-time use and only when the application is running in the foreground. \n\n[Geofencing](https://attack.mitre.org/techniques/T1627/001) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific input prompts and/or advertisements.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Users can review which applications have location permissions in the operating system’s settings menu. On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background. Application vetting services can detect unnecessary and potentially abused location permissions or API calls.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "created": "2022-03-30T20:36:03.177Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1627/001", "external_id": "T1627.001" }, { "source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2", "created": "2019-07-10T15:18:16.753Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1507", "url": "https://attack.mitre.org/techniques/T1507" } ], "x_mitre_deprecated": false, "revoked": true, "description": "Adversaries may use device sensors to collect information about nearby networks, such as Wi-Fi and Bluetooth.", "modified": "2022-03-31T16:33:55.068Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Network Information Discovery", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060", "created": "2017-10-25T14:48:15.920Z", "x_mitre_version": "1.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1412", "url": "https://attack.mitre.org/techniques/T1412" } ], "x_mitre_deprecated": false, "revoked": true, "description": "A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.\n\nOn Android, a malicious application must request and obtain permission (either at app install time or run time) in order to receive SMS messages. Alternatively, a malicious application could attempt to perform an operating system privilege escalation attack to bypass the permission requirement.\n\nOn iOS, applications cannot access SMS messages in normal operation, so an adversary would need to attempt to perform an operating system privilege escalation attack to potentially be able to access SMS messages.", "modified": "2022-04-01T13:27:29.880Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Capture SMS Messages", "x_mitre_detection": "On Android, the user can view which applications have permission to access SMS messages through the device settings, and the user can choose to revoke the permission.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "collection" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:41:56.376Z", "name": "Endpoint Denial of Service", "description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode, preventing the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device’s passcode.(Citation: Android resetPassword)\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode; they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_deprecated": false, "x_mitre_detection": "On Android, users can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. Application vetting services can detect and closely scrutinize applications that utilize Device Administrator access.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "created": "2022-04-06T13:52:05.619Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1642", "external_id": "T1642" }, { "source_name": "Xiao-KeyRaider", "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/" }, { "source_name": "Android resetPassword", "description": "Google. (n.d.). DevicePolicyManager. Retrieved October 1, 2019.", "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String,%20int)" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:53:59.025Z", "name": "Out of Band Data", "description": "Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet-providing networks (i.e. cellular or Wi-Fi). Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth. \n\n \n\nOn Android, applications can read push notifications to capture content from SMS messages, or other out of band data streams. This requires that the user manually grant notification access to the application via the settings menu. However, the application could launch an Intent to take the user directly there. \n\n \n\nOn iOS, there is no way to programmatically read push notifications. ", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_deprecated": false, "x_mitre_detection": "If a user sees a notification with text they do not recognize, they should review their list of installed applications.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "created": "2022-04-06T15:27:34.300Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1644", "external_id": "T1644" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", "created": "2019-10-01T14:18:47.762Z", "x_mitre_version": "2.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1521", "url": "https://attack.mitre.org/techniques/T1521" } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.", "modified": "2022-04-05T20:11:35.852Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Encrypted Channel", "x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884", "created": "2017-10-25T14:48:22.716Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1405", "url": "https://attack.mitre.org/techniques/T1405" }, { "source_name": "EkbergTEE", "url": "https://usmile.at/symposium/program/2015/ekberg", "description": "Jan-Erik Ekberg. (2015, September 10). Android and trusted execution environments. Retrieved December 9, 2016." }, { "source_name": "Thomas-TrustZone", "url": "https://usmile.at/symposium/program/2015/thomas-holmes", "description": "Josh Thomas and Charles Holmes. (2015, September). An infestation of dragons: Exploring vulnerabilities in the ARM TrustZone architecture. Retrieved December 9, 2016." }, { "source_name": "QualcommKeyMaster", "url": "https://bits-please.blogspot.in/2016/06/extracting-qualcomms-keymaster-keys.html", "description": "laginimaineb. (2016, June). Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption. Retrieved December 9, 2016." }, { "source_name": "laginimaineb-TEE", "url": "http://bits-please.blogspot.co.il/2016/05/war-of-worlds-hijacking-linux-kernel.html", "description": "laginimaineb. (2016, May). War of the Worlds - Hijacking the Linux Kernel from QSEE. Retrieved December 21, 2016." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-27" } ], "x_mitre_deprecated": true, "revoked": false, "description": "A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone). The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data (Citation: QualcommKeyMaster). Escalated operating system privileges may be first required in order to have the ability to attack the TEE (Citation: EkbergTEE). If not, privileges within the TEE can potentially be used to exploit the operating system (Citation: laginimaineb-TEE).", "modified": "2022-04-06T15:41:57.666Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Exploit TEE Vulnerability", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "privilege-escalation" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:51:29.931Z", "name": "Suppress Application Icon", "description": "A malicious application could suppress its icon from being displayed to the user in the application launcher. This hides the fact that it is installed, and can make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions. \n\nThis behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker) \n\nBeginning in Android 10, changes were introduced to inhibit malicious applications’ ability to hide their icon. If an app is a system app, requests no permissions, or does not have a launcher activity, the application’s icon will be fully hidden. Further, if the device is fully managed or the application is in a work profile, the icon will be fully hidden. Otherwise, a synthesized activity is shown, which is a launcher icon that represents the app’s details page in the system settings. If the user clicks the synthesized activity in the launcher, they are taken to the application’s details page in the system settings.(Citation: Android 10 Limitations to Hiding App Icons)(Citation: LauncherApps getActivityList)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_contributors": [ "Emily Ratliff, IBM" ], "x_mitre_deprecated": false, "x_mitre_detection": "The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings. If the user is redirected to the device settings when tapping an application’s icon, they should inspect the application to ensure it is genuine. Application vetting services could potentially detect the usage of APIs intended for suppressing the application’s icon.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "created": "2022-03-30T20:06:22.194Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1628/001", "external_id": "T1628.001" }, { "source_name": "Android 10 Limitations to Hiding App Icons", "description": "Android. (n.d.). Android 10 Release Notes: Limitations to hiding app icons. Retrieved March 30, 2022.", "url": "https://source.android.com/setup/start/android-10-release#limitations_to_hiding_app_icons" }, { "source_name": "LauncherApps getActivityList", "description": "Android. (n.d.). LauncherApps: getActivityList. Retrieved March 30, 2022.", "url": "https://developer.android.com/reference/kotlin/android/content/pm/LauncherApps#getactivitylist" }, { "source_name": "sunny-stolen-credentials", "description": "Lukáš Štefanko. (2017, February 22). Sunny with a chance of stolen credentials: Malicious weather app found on Google Play. Retrieved July 11, 2019.", "url": "https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/" }, { "source_name": "android-trojan-steals-paypal-2fa", "description": "Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.", "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/" }, { "source_name": "bankbot-spybanker", "description": "NJCCIC. (2017, March 2). BankBot/Spy Banker. Retrieved July 11, 2019.", "url": "https://www.cyber.nj.gov/threat-profiles/android-malware-variants/bankbot-spybanker" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468", "created": "2017-10-25T14:48:18.583Z", "x_mitre_version": "1.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1399", "url": "https://attack.mitre.org/techniques/T1399" }, { "source_name": "Apple-iOSSecurityGuide", "url": "https://www.apple.com/business/docs/iOS_Security_Guide.pdf", "description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016." }, { "source_name": "Roth-Rootkits", "url": "https://hackinparis.com/data/slides/2013/Slidesthomasroth.pdf", "description": "Thomas Roth. (2013). Next generation mobile rootkits. Retrieved December 21, 2016." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "APP-27" } ], "x_mitre_deprecated": true, "revoked": false, "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.(Citation: Roth-Rootkits)", "modified": "2022-04-06T15:48:41.647Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Modify Trusted Execution Environment", "x_mitre_detection": "Devices may perform cryptographic integrity checks of code running within the TEE at boot time.\n\niOS devices will fail to boot if the software running within the Secure Enclave does not pass signature verification.(Citation: Apple-iOSSecurityGuide)", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "id": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a", "type": "attack-pattern", "created": "2017-10-25T14:48:23.652Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1459", "external_id": "T1459" } ], "modified": "2018-10-17T01:05:10.703Z", "name": "Device Unlock Code Guessing or Brute Force", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34", "created": "2017-10-25T14:48:21.667Z", "x_mitre_version": "1.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1466", "url": "https://attack.mitre.org/techniques/T1466" }, { "source_name": "NIST-SP800187", "url": "http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf", "description": "Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "CEL-3" } ], "x_mitre_deprecated": false, "revoked": true, "description": "An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate(Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.", "modified": "2022-04-06T15:50:42.480Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Downgrade to Insecure Protocols", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "network-effects" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Without Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf", "created": "2017-10-25T14:48:18.937Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1472", "url": "https://attack.mitre.org/techniques/T1472" } ], "x_mitre_deprecated": false, "revoked": true, "description": "An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.", "modified": "2022-04-06T13:57:49.177Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Generate Fraudulent Advertising Revenue", "x_mitre_detection": "", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "impact" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_domains": [ "mobile-attack" ], "id": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df", "type": "attack-pattern", "created": "2017-10-25T14:48:09.446Z", "revoked": true, "external_references": [ { "source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1473", "external_id": "T1473" } ], "modified": "2018-10-17T01:05:10.704Z", "name": "Malicious or Vulnerable Built-in Device Functionality", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false }, { "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df", "created": "2022-03-30T19:19:23.777Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1406.001", "url": "https://attack.mitre.org/techniques/T1406/001" } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.", "modified": "2022-04-21T17:30:16.229Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Steganography", "x_mitre_detection": "Detection of steganography is difficult unless detectable artifacts with a known signature are left behind by the obfuscation process. Look for strings are other signatures left in system artifacts related to decoding steganography.", "kill_chain_phases": [ { "phase_name": "defense-evasion", "kill_chain_name": "mitre-mobile-attack" } ], "x_mitre_is_subtechnique": true, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d", "created": "2017-10-25T14:48:06.524Z", "x_mitre_version": "1.2", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1449", "url": "https://attack.mitre.org/techniques/T1449" }, { "source_name": "3GPP-Security", "url": "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf", "description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016." }, { "source_name": "CSRIC5-WG10-FinalReport", "url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf", "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017." }, { "source_name": "TheRegister-SS7", "url": "https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/", "description": "Iain Thomson. (2017, May 3). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts. Retrieved November 8, 2018." }, { "source_name": "Positive-SS7", "url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf", "description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016." }, { "source_name": "Engel-SS7-2008", "url": "https://www.youtube.com/watch?v=q0n5ySqbfdI", "description": "Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016." }, { "source_name": "Engel-SS7", "url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf", "description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016." }, { "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-37.html", "source_name": "NIST Mobile Threat Catalogue", "external_id": "CEL-37" } ], "x_mitre_deprecated": true, "revoked": false, "description": "An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker's control. The adversary could then act as an adversary-in-the-middle to intercept or manipulate the communication. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport) Interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication(Citation: TheRegister-SS7).", "modified": "2022-04-06T15:53:27.032Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation as described by the Communications, Security, Reliability, and Interoperability Council (CSRIC). (Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "network-effects" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Without Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:59:57.485Z", "name": "Hide Artifacts", "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Mobile operating systems have features and developer APIs to hide various artifacts, such as an application’s launcher icon. These APIs have legitimate usages, such as hiding an icon to avoid application drawer clutter when an application does not have a usable interface. Adversaries may abuse these features and APIs to hide artifacts from the user to evade detection.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_deprecated": false, "x_mitre_detection": "The user can examine the list of all installed applications in the device settings. Application vetting services could potentially detect the usage of APIs intended for artifact hiding.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f", "created": "2022-03-30T20:00:12.654Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1628", "external_id": "T1628" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-16T18:37:55.822Z", "name": "Code Signing Policy Modification", "description": "Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys. Code signing provides a level of authenticity on an app from a developer, guaranteeing that the program has not been tampered with and comes from an official source. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on a device. \n\nMobile devices generally enable these security controls by default, such as preventing the installation of unknown applications on Android. Adversaries may modify these policies in a number of ways, including [Input Injection](https://attack.mitre.org/techniques/T1516) or malicious configuration profiles.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_deprecated": false, "x_mitre_detection": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.\n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "1.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "created": "2022-03-30T18:13:26.003Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1632/001", "external_id": "T1632.001" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html", "external_id": "STA-7" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", "created": "2022-04-05T19:59:03.161Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1637.001", "url": "https://attack.mitre.org/techniques/T1637/001" }, { "source_name": "Data Driven Security DGA", "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/", "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019." }, { "source_name": "securelist rotexy 2018", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1637/001) (DGAs) to procedurally generate domain names for uses such as command and control communication or malicious application distribution.(Citation: securelist rotexy 2018)\n\nDGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions.", "modified": "2022-04-05T19:59:22.888Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Domain Generation Algorithms", "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names ", "kill_chain_phases": [ { "phase_name": "command-and-control", "kill_chain_name": "mitre-mobile-attack" } ], "x_mitre_is_subtechnique": true, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-20T18:24:56.530Z", "name": "Drive-By Compromise", "description": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring an [Application Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple ways of delivering exploit code to a browser exist, including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.\n* Malicious ads are paid for and served through legitimate ad providers.\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Lookout-StealthMango)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access" } ], "x_mitre_deprecated": false, "x_mitre_detection": "Mobile security products can often alert the user if their device is vulnerable to known exploits.", "x_mitre_domains": [ "mobile-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_version": "2.1", "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "type": "attack-pattern", "id": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "created": "2017-10-25T14:48:06.822Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1456", "external_id": "T1456" }, { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" }, { "source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html", "external_id": "CEL-22" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "x_mitre_platforms": [ "Android" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "attack-pattern", "id": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2", "created": "2019-07-11T18:09:42.039Z", "x_mitre_version": "1.1", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1508", "url": "https://attack.mitre.org/techniques/T1508" }, { "source_name": "sunny-stolen-credentials", "url": "https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/", "description": "Lukáš Štefanko. (2017, February 22). Sunny with a chance of stolen credentials: Malicious weather app found on Google Play. Retrieved July 11, 2019." }, { "source_name": "android-trojan-steals-paypal-2fa", "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/", "description": "Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019." }, { "source_name": "bankbot-spybanker", "url": "https://www.cyber.nj.gov/threat-profiles/android-malware-variants/bankbot-spybanker", "description": "NJCCIC. (2017, March 2). BankBot/Spy Banker. Retrieved July 11, 2019." } ], "x_mitre_deprecated": false, "revoked": true, "description": "A malicious application could suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed, and to make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions.\n\nThis behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker)", "modified": "2022-03-30T20:07:33.279Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Suppress Application Icon", "x_mitre_detection": "The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings.", "kill_chain_phases": [ { "kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion" } ], "x_mitre_is_subtechnique": false, "x_mitre_tactic_type": [ "Post-Adversary Device Access" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--7b8c3ae2-7e52-4f1d-ad30-788b367a7531", "type": "relationship", "created": "2019-08-07T15:57:13.417Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky Riltok June 2019", "url": "https://securelist.com/mobile-banker-riltok/91374/", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019." } ], "modified": "2019-09-15T15:36:42.340Z", "description": "[Riltok](https://attack.mitre.org/software/S0403) can query various details about the device, including phone number, country, mobile operator, model, root availability, and operating system version.(Citation: Kaspersky Riltok June 2019)", "relationship_type": "uses", "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4fc165fd-185e-4c70-b423-c242cf715510", "created": "2019-10-07T16:32:27.127Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T16:55:21.480Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) checks if it is running in an analysis environment.(Citation: securelist rotexy 2018) ", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--69de3f7e-faa7-4342-b755-4777a68fd89b", "created": "2017-12-14T16:46:06.044Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Zscaler-SuperMarioRun", "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat", "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 – DroidJack RAT. Retrieved January 20, 2017." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[DroidJack](https://attack.mitre.org/software/S0320) is capable of recording device phone calls.(Citation: Zscaler-SuperMarioRun)", "modified": "2022-05-20T17:13:16.508Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--1f7428d7-6f6e-40d0-aedb-cb0578875ff9", "created": "2021-10-01T14:42:49.170Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:26:02.260Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can hide its icon.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--935fd3e3-dd47-4c43-bdd8-1668af26395f", "created": "2018-10-17T00:14:20.652Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "PaloAlto-SpyDealer", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[SpyDealer](https://attack.mitre.org/software/S0324) enables remote control of the victim through SMS channels.(Citation: PaloAlto-SpyDealer)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--04ec5f2f-b14f-46ae-b151-05f9b7af0bcc", "created": "2023-03-20T18:37:57.767Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:37:57.767Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--1f027bab-76d9-4f5f-a73e-ea733a1ab223", "type": "relationship", "created": "2020-11-20T16:37:28.610Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec GoldenCup", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020." } ], "modified": "2020-11-20T16:37:28.610Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) has been distributed in two stages.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--0ef4845d-994e-4f0d-9eed-7cf600fc03b4", "type": "relationship", "created": "2020-06-02T14:32:31.885Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Project Zero Insomnia", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020." } ], "modified": "2020-06-02T14:32:31.885Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can track the device’s location.(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--8b66543e-2ea1-4ff7-84d9-f8f431f53781", "type": "relationship", "created": "2020-04-24T15:06:33.503Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." } ], "modified": "2020-04-24T15:06:33.503Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can record MP4 files and monitor calls.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--2a5f4f05-bd60-4571-bcce-f3b764a5b5a0", "created": "2023-02-28T20:30:01.082Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-31T22:08:11.662Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can retrieve the contacts list from an infected device.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--23fa0fcc-0193-45f2-9e0b-a5f68380015f", "created": "2022-04-01T18:52:13.171Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action.", "modified": "2022-04-01T18:52:13.171Z", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--db34a2c8-01e0-4cd3-a497-0f4bca36812a", "created": "2020-01-27T17:05:58.265Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:27:51.998Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain the device’s call log.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f0e39856-4d2d-45c5-bf16-f683ee993010", "created": "2022-03-30T18:18:15.915Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-30T18:18:15.915Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--8c7598a6-6046-491d-99a7-52c31974a9a9", "created": "2023-03-20T18:57:40.504Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:57:40.504Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--5b37d94a-64a3-432a-b340-1c9a4f553d02", "type": "relationship", "created": "2020-12-17T20:15:22.452Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." } ], "modified": "2020-12-17T20:15:22.452Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) has obfuscated components using XOR, ZIP with a single-byte key or ZIP/Zlib compression wrapped with RC4 encryption.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--3e2b9dc1-5da0-46a1-a576-4b41a10f3a60", "created": "2020-11-24T17:55:12.828Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:21:27.210Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can access the device’s contact list.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--a20581b4-21fa-4ed9-b056-d139998868e8", "created": "2019-09-04T14:28:15.970Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T19:52:44.819Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve the device's contact list.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--7a8e1611-1a7e-45a0-b518-6efd744fce4f", "type": "relationship", "created": "2020-12-24T22:04:28.002Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-24T22:04:28.002Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has sent messages to an attacker-controlled number.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a5b72279-f99e-4f03-8669-04322b40ee6b", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-XLoader", "description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/" } ], "modified": "2020-07-20T13:49:03.710Z", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) loads an encrypted DEX code payload.(Citation: TrendMicro-XLoader)", "relationship_type": "uses", "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--a8565c17-7054-4d3f-bca5-6e17dc931491", "created": "2023-03-03T16:20:08.033Z", "revoked": false, "external_references": [ { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-03T16:20:08.033Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has used private APIs to download and install other pieces of itself, as well as other malicious apps. (Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--3c291ee5-1782-4e5b-8131-5188c7388f45", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "FireEye-RuMMS", "description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[RuMMS](https://attack.mitre.org/software/S0313) gathers the device phone number and IMEI and transmits them to a command and control server.(Citation: FireEye-RuMMS)", "relationship_type": "uses", "source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--c340b30d-0ad5-4e90-94ce-b6a6b229a7c4", "created": "2020-09-15T15:18:12.362Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:31:30.741Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect SMS messages.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c1453cd9-44bb-4dd2-bdbd-eb06a239d38c", "created": "2022-04-06T15:52:07.805Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-06T15:52:07.805Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e", "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--17558571-7352-470b-b728-0511fb3f699d", "type": "relationship", "created": "2019-10-18T15:51:48.484Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2020-06-24T15:02:13.534Z", "description": "Users should be warned against granting access to accessibility features, and to carefully scrutinize applications that request this dangerous permission.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--204e30ed-5e69-400b-a814-b77e10596865", "created": "2022-04-06T15:50:42.481Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-06T15:50:42.481Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--75472bf8-c7fd-4fc7-a11e-74189bc23b78", "type": "relationship", "created": "2019-10-10T15:17:00.972Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.", "url": "https://www.flexispy.com/en/features-overview.htm", "source_name": "FlexiSpy-Features" } ], "modified": "2019-10-14T18:08:28.666Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can monitor device photos and can also access browser history and bookmarks.(Citation: FlexiSpy-Features)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--022e941f-30c3-45a9-9f6f-36e704b80060", "created": "2020-04-24T17:46:31.574Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:44:13.361Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) registers for the `SCREEN_ON` and `SMS_DELIVER` intents to perform actions when the device is unlocked and when the device receives an SMS message.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--fdf06a0b-08d2-4cac-9d49-b3f1454ec4ea", "created": "2022-03-30T19:32:43.015Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Attestation can detect rooted devices. Mobile security software can then use this information and take appropriate mitigation action. Attestation can detect rooted devices.", "modified": "2022-03-30T19:32:43.015Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--5c746ac8-4034-4ae3-98c3-66d89f5a6d6a", "created": "2020-07-27T14:14:56.996Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Google Security Zen", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:19:00.199Z", "description": "[Zen](https://attack.mitre.org/software/S0494) can inject code into the Setup Wizard at runtime to extract CAPTCHA images. [Zen](https://attack.mitre.org/software/S0494) can inject code into the `libc` of running processes to infect them with the malware.(Citation: Google Security Zen)", "relationship_type": "uses", "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--c1d78c3d-9ed6-4e3f-9cad-b98b5dfb8ebd", "created": "2023-03-20T15:40:11.819Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T15:40:11.819Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--bee919a6-c488-49a0-9848-fff19aa2c276", "type": "relationship", "created": "2021-09-24T14:47:34.449Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2021-10-04T20:08:48.556Z", "description": "Mobile security products can often detect rooted devices.", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--7c6207c7-d738-4a17-8380-595c86574b64", "type": "relationship", "created": "2020-09-11T16:22:03.298Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout ViperRAT", "url": "https://blog.lookout.com/viperrat-mobile-apt", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020." } ], "modified": "2020-09-11T16:22:03.298Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can track the device’s location.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--3fcd2177-2030-4781-bd19-8b9fa8c6e645", "type": "relationship", "created": "2021-02-08T16:36:20.655Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "BlackBerry Bahamut", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021." } ], "modified": "2021-05-24T13:16:56.410Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included phone call and audio recording capabilities in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d995dfff-e4b2-4e07-8e76-b064354f591a", "created": "2022-04-01T12:49:32.365Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Calendar access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their device calendar. ", "modified": "2022-04-01T12:49:32.365Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--23cac1d7-27ca-4c78-bfa0-2d6023d21798", "type": "relationship", "created": "2020-10-29T19:01:13.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Microsoft MalLockerB", "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/", "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020." } ], "modified": "2020-10-29T19:01:13.854Z", "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) has employed both name mangling and meaningless variable names in source. [AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) has stored encrypted payload code in the Assets directory, coupled with a custom decryption routine that assembles a .dex file by passing data through Android Intent objects. (Citation: Microsoft MalLockerB)", "relationship_type": "uses", "source_ref": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--43a62244-29f1-4f7f-bc9f-9b7b8e488b38", "type": "relationship", "created": "2020-05-11T16:37:36.616Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html", "source_name": "ThreatFabric Ginp" } ], "modified": "2020-05-11T16:37:36.616Z", "description": " [Ginp](https://attack.mitre.org/software/S0423) can inject input to make itself the default SMS handler.(Citation: ThreatFabric Ginp) ", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--82a51cc3-7a91-43b0-9147-df5983e52b41", "created": "2020-12-14T15:02:35.208Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:08:11.798Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) has communicated with the C2 using HTTP POST requests.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--d3e06522-2a30-4d56-801e-9461178b80ce", "created": "2021-01-05T20:16:20.412Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:45:54.913Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can hide its icon after launch.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--147d82a6-a61a-41d0-8eef-b6193bdd92d6", "created": "2022-03-30T15:18:21.256Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-30T15:18:21.256Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0", "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--ce8cc50a-f3c9-4a6a-b6be-f3e8bdd293bd", "type": "relationship", "created": "2019-07-10T15:35:43.699Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "source_name": "Lookout Dark Caracal Jan 2018" } ], "modified": "2019-08-09T18:06:11.839Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) captures audio from the device microphone.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--b05668b9-aa06-4191-a4fa-f7e5a7804694", "type": "relationship", "created": "2021-01-05T20:16:20.514Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." } ], "modified": "2021-01-05T20:16:20.514Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can list all hidden files in the `/DCIM/.dat/` directory.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4a936488-526c-40c1-b2d5-490052cb0e73", "created": "2020-12-31T18:25:05.162Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:22:53.698Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) can run bash commands.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5619e263-d48c-47a5-ab68-8677fe080a15", "created": "2022-03-30T14:42:27.821Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-30T14:42:27.821Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "target_ref": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--d54bdaff-8eb8-4a02-9f64-bc33c892e9d1", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Xiao-ZergHelper", "description": "Claud Xiao. (2016, February 21). Pirated iOS App Store’s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[ZergHelper](https://attack.mitre.org/software/S0287) attempts to extend its capabilities via dynamic updating of its code.(Citation: Xiao-ZergHelper)", "relationship_type": "uses", "source_ref": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--d4a5a902-231e-4878-ad5b-39620498b018", "type": "relationship", "created": "2019-09-04T14:28:15.941Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", "source_name": "Lookout-Monokle" } ], "modified": "2019-09-04T14:32:12.589Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can record audio from the device's microphone and can record phone calls, specifying the output audio quality.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d7ca70d4-2006-4252-b243-e52be760e24d", "created": "2022-04-01T13:26:39.773Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Access to SMS messages is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their SMS messages. ", "modified": "2022-04-01T13:26:39.773Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--980c49f8-d991-4e1f-8feb-6173e3dfca1f", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:29:18.098Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) captures SMS messages.(Citation: Lookout-EnterpriseApps)", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--020f79c6-d5f8-49eb-beee-e716e1fa4e80", "type": "relationship", "created": "2020-07-20T13:49:03.692Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-XLoader-FakeSpy", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020." } ], "modified": "2020-09-24T15:12:24.191Z", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) collects the device’s Android ID and serial number.(Citation: TrendMicro-XLoader-FakeSpy)", "relationship_type": "uses", "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--77efa84c-5ef0-4554-b774-2dbfcca74087", "type": "relationship", "created": "2020-10-29T19:20:58.116Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WeLiveSecurity AdDisplayAshas", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020." } ], "modified": "2020-10-29T19:20:58.116Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has checked to see how many apps are installed, and specifically if Facebook or FB Messenger are installed.(Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--2e7f8995-93ae-41bb-9baf-53178341d93e", "created": "2021-02-08T16:36:20.630Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:06:00.885Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has deployed anti-analysis capabilities during their Operation BULL campaign.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--bc0d86de-0642-4cbf-a785-7ff70507a9a2", "created": "2023-03-20T18:51:44.864Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:51:44.864Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--b110d919-acd4-4fe0-a46a-ac4819508667", "created": "2020-07-20T13:58:53.589Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:21:35.992Z", "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) has been installed via a malicious configuration profile.(Citation: TrendMicro-XLoader-FakeSpy)", "relationship_type": "uses", "source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--a1a9db79-4a80-4e65-91bf-72e358d2ce41", "created": "2023-01-18T21:43:36.398Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-02-21T18:44:26.569Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can download attacker-specified files.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--81db3270-4cb8-4982-8ff8-c28a874e8421", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-DressCode", "description": "Echo Duan. (2016, September 29). DressCode and its Potential Impact for Enterprises. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[DressCode](https://attack.mitre.org/software/S0300) sets up a \"general purpose tunnel\" that can be used by an adversary to compromise enterprise networks that the mobile device is connected to.(Citation: TrendMicro-DressCode)", "relationship_type": "uses", "source_ref": "malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca", "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--0d12ee41-9ac0-4083-bc28-6568be4b9d5b", "created": "2023-03-20T18:41:56.287Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:41:56.287Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--d0c21324-62e3-46e5-823b-ea0c03a4885d", "type": "relationship", "created": "2020-01-21T15:30:39.335Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Monokle", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019." } ], "modified": "2020-01-21T15:30:39.335Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can download attacker-specified files.(Citation: Lookout-Monokle) ", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--fcda686d-0c3a-457a-a34d-6dcfb28f54bd", "created": "2020-06-26T14:55:13.333Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:49:38.924Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) registers for the `BOOT_COMPLETED` intent to auto-start after the device boots.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--142532a6-bf7c-4b25-be23-16f01160f3c5", "type": "relationship", "created": "2020-09-15T15:18:12.417Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason FakeSpy", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020." } ], "modified": "2020-09-15T15:18:12.417Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect account information stored on the device, as well as data in external storage.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a111ab3c-97f2-4b17-b291-f141e9b7613f", "created": "2022-04-01T12:50:48.459Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-01T12:50:48.459Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--876fc8ee-aeae-4d4b-b4ce-541b432e5298", "created": "2020-12-14T15:02:35.297Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T18:06:30.456Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) can collect the device’s contact list.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--51f75dd5-b584-482f-8f7f-dbee2d5cf6f3", "created": "2019-10-18T15:51:48.487Z", "x_mitre_version": "1.0", "x_mitre_deprecated": false, "revoked": false, "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.", "modified": "2022-04-05T19:42:51.306Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6961eec4-8e31-4be1-88d9-dca682e38b8c", "created": "2019-08-09T18:02:06.688Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Zscaler-SuperMarioRun", "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat", "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 – DroidJack RAT. Retrieved January 20, 2017." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[DroidJack](https://attack.mitre.org/software/S0320) can capture video using device cameras.(Citation: Zscaler-SuperMarioRun)", "modified": "2022-05-20T17:13:16.507Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--1987b242-c868-40b2-993d-9dbeea311d4b", "created": "2022-03-30T14:08:09.882Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-30T14:08:09.882Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--50f03c00-5488-49fe-a527-a8776e526523", "type": "relationship", "created": "2020-11-24T17:55:12.820Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020." } ], "modified": "2020-11-24T17:55:12.820Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can collect a list of installed applications.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--d59da983-c521-47b6-83ab-435f7d58611d", "created": "2019-11-21T16:42:48.493Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" }, { "source_name": "Bitdefender - Triout 2018", "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.", "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:12:57.861Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) uses HTTP requests for C2 communication.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--fb51161a-ef2e-41a4-b5f9-bd1f64f95674", "type": "relationship", "created": "2020-12-24T22:04:28.025Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-24T22:04:28.025Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has retrieved .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files from external storage.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d724bcf3-25d2-406a-b612-333fea5e2385", "created": "2020-10-29T17:48:27.440Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Threat Fabric Exobot", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Exobot](https://attack.mitre.org/software/S0522) can show phishing popups when a targeted application is running.(Citation: Threat Fabric Exobot)", "modified": "2022-04-12T10:01:44.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--dbeff88d-441f-47f9-8afc-60400ee3ab97", "created": "2023-02-06T19:06:37.359Z", "revoked": false, "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-02-06T19:06:37.359Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can receive files from the C2 at runtime.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--1348c744-3127-4a55-a5b4-2f439f41e941", "created": "2020-07-27T14:14:56.994Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Google Security Zen", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:48:16.775Z", "description": "[Zen](https://attack.mitre.org/software/S0494) can install itself on the system partition to achieve persistence. [Zen](https://attack.mitre.org/software/S0494) can also replace `framework.jar`, which allows it to intercept and modify the behavior of the standard Android API.(Citation: Google Security Zen)", "relationship_type": "uses", "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--55b3df0f-252d-4208-bdb8-91fa1e1119b4", "created": "2021-01-05T20:16:20.507Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:23:12.919Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can execute commands .(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--430b2b14-9d63-401c-b76b-d0247ee7e27b", "type": "relationship", "created": "2020-07-20T13:27:33.549Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." } ], "modified": "2020-08-10T21:57:54.524Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can record the screen and take screenshots to capture messages from Line, Facebook Messenger, and WhatsApp.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--cc3cf438-7206-46df-a4a4-999472ea6a9a", "created": "2019-11-21T19:16:34.796Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "CheckPoint SimBad 2019", "description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.", "url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:45:42.081Z", "description": "[SimBad](https://attack.mitre.org/software/S0419) hides its icon from the application launcher.(Citation: CheckPoint SimBad 2019)", "relationship_type": "uses", "source_ref": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--fb6458b0-01b8-4c3f-b0f2-ef5d5bd9f6a8", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T16:50:54.500Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads SMS messages.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a2365c91-60f6-4249-af13-6bc2fdb80d52", "created": "2019-09-23T13:36:08.459Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "securelist rotexy 2018", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Rotexy](https://attack.mitre.org/software/S0411) can use phishing overlays to capture users' credit card information.(Citation: securelist rotexy 2018)", "modified": "2022-04-12T10:01:44.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--aa628e44-ff05-4ac9-bb0b-11c22384a443", "created": "2020-07-20T13:49:03.676Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "TrendMicro-XLoader-FakeSpy", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) has fetched its C2 address from encoded Twitter names, as well as Instagram and Tumblr.(Citation: TrendMicro-XLoader-FakeSpy)", "modified": "2022-04-20T17:58:16.567Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--8244700e-6f96-463a-a9c3-810c489a2c60", "created": "2023-03-20T15:20:24.554Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T15:20:24.554Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--437f719c-d602-4cb8-a2b9-c33e85ad7c50", "created": "2020-06-26T15:32:25.025Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:52:43.629Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can obtain the device’s contact list.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--e767fc9e-5211-4e7c-b628-5dd03a24af39", "created": "2020-12-14T15:02:35.294Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:32:42.890Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) can collect SMS messages as they are received.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a042d55c-b31e-41c1-9cd0-66070ec9a11d", "type": "relationship", "created": "2020-10-29T19:21:23.235Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WeLiveSecurity AdDisplayAshas", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020." } ], "modified": "2020-10-29T19:21:23.235Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has hidden the C2 server address using base-64 encoding. (Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--fd5b3d4b-5d56-4d66-8b57-f858bc139901", "type": "relationship", "created": "2020-04-24T17:46:31.607Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020." } ], "modified": "2020-04-24T17:46:31.607Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) contains obfuscated function, class, and variable names, and encrypts its shared preferences using Java’s `PBEWithMD5AndDES` algorithm.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--dd54e35c-d68b-4aa8-ad2a-acd4c76243c8", "created": "2023-01-18T19:58:00.503Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T18:57:14.522Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use RC4 to encrypt C2 payloads.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--ee095f20-eef5-4dcc-a537-70b387592c2c", "created": "2023-02-28T20:38:46.702Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "bitdefender_flubot_0524", "description": "Filip TRUȚĂ, Răzvan GOSA, Adrian Mihai GOZOB. (2022, May 24). New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike. Retrieved February 28, 2023.", "url": "https://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-31T22:15:20.089Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can use Accessibility Services to make removal of the malicious app difficult.(Citation: bitdefender_flubot_0524)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--5b87bb01-9587-42bd-aa6b-30158ca8f55f", "type": "relationship", "created": "2020-04-08T15:41:19.427Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cofense Anubis", "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." } ], "modified": "2020-09-11T15:42:15.628Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can send, receive, and delete SMS messages.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--abf03652-acd0-4361-8a66-f7e70e8e4376", "created": "2020-06-02T14:32:31.913Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Volexity Insomnia", "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.", "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:12:12.766Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) communicates with the C2 server using HTTPS requests.(Citation: Volexity Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--04ae1d87-1741-4cfd-84ff-3c5e46c0b112", "created": "2022-04-05T19:59:03.285Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-05T19:59:03.285Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", "target_ref": "attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--60ecd154-e907-419a-b41d-1a9a1f59e7c3", "created": "2019-07-10T15:35:43.712Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:36:27.557Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) has the ability to delete attacker-specified files from compromised devices.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--be27a303-5748-4b72-ba69-a328e2f6cc08", "type": "relationship", "created": "2020-12-31T18:25:05.177Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CYBERWARCON CHEMISTGAMES", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020." } ], "modified": "2020-12-31T18:25:05.177Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) can download new modules while running.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--4d542595-1eb0-45aa-9702-9d494142b390", "type": "relationship", "created": "2019-08-09T18:08:07.109Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "source_name": "Kaspersky-Skygofree" } ], "modified": "2019-08-09T18:08:07.109Z", "description": "[Skygofree](https://attack.mitre.org/software/S0327) can record video or capture photos when an infected device is in a specified location.(Citation: Kaspersky-Skygofree)", "relationship_type": "uses", "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--8870c211-820a-46a1-96fc-02f4e6eaec03", "type": "relationship", "created": "2020-11-10T16:50:39.134Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2021-04-19T15:40:36.387Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has collected device network information, including 16-bit GSM Cell Identity, 16-bit Location Area Code, Mobile Country Code (MCC), and Mobile Network Code (MNC). [CarbonSteal](https://attack.mitre.org/software/S0529) has also called `netcfg` to get stats.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--57a5ae72-6932-45e6-83f2-609943902b35", "created": "2023-03-20T18:50:33.248Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:50:33.248Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--d8ca4ea5-5242-4f0f-b3b7-008673f561ab", "type": "relationship", "created": "2020-09-11T16:22:03.229Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout ViperRAT", "url": "https://blog.lookout.com/viperrat-mobile-apt", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020." } ], "modified": "2020-09-11T16:22:03.229Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect and record audio content.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--2e6d507e-afbb-4fa5-b459-2b060ab52db3", "created": "2020-12-18T20:14:47.316Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:50:29.535Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) checks whether its call stack has been modified, an indication that it is running in an analysis environment, and if so, does not decrypt its obfuscated strings(Citation: WhiteOps TERRACOTTA).", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--d6e4fdc6-c936-4bb9-861f-fafd3b72fcb4", "type": "relationship", "created": "2021-02-17T20:43:52.413Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout FrozenCell", "url": "https://blog.lookout.com/frozencell-mobile-threat", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020." } ], "modified": "2021-02-17T20:43:52.413Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has compressed and encrypted data before exfiltration using password protected .7z archives.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--4088b31b-d542-4935-84b4-82b592159591", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "source_name": "TrendMicro-RCSAndroid" } ], "modified": "2019-10-10T15:22:52.591Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can collect contacts and messages from popular applications, including Facebook Messenger, WhatsApp, Skype, Viber, Line, WeChat, Hangouts, Telegram, and BlackBerry Messenger.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--3d24d88e-a0ab-42c6-8e8f-11f721082bba", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "modified": "2019-08-09T17:52:31.838Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) attempts to exploit well-known Android OS vulnerabilities to escalate privileges.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--96298aed-9e9f-4836-b29b-04c88e79e53e", "created": "2022-04-01T18:42:37.987Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Security updates often contain patches for vulnerabilities that could be exploited for root access. Root access is often a requirement to impairing defenses.", "modified": "2022-04-01T18:42:37.987Z", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--1a2f6cdc-7c52-4f6e-9182-bc5b16a638dd", "created": "2020-07-15T20:20:59.289Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:49:47.110Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can evade automated analysis environments by requiring a CAPTCHA on launch that will prevent the application from running if not passed. It also checks for indications that it is running in an emulator.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--72a5350f-f0cf-4f44-82d5-28a25492c6af", "type": "relationship", "created": "2020-04-24T15:06:33.531Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." } ], "modified": "2020-04-24T17:55:55.049Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can take pictures using the camera and can record MP4 files.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--626d4c6c-97e4-4aa3-922b-c1a81e677213", "created": "2023-03-20T15:32:36.972Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T15:32:36.972Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--17141729-226d-40d4-928d-ffbd2eed7d11", "created": "2022-04-05T19:37:16.086Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-05T19:37:16.086Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--638f3d4b-f1d4-4c61-91a0-7c125ef8437a", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) was distributed through a web site by exploiting vulnerabilities in the Safari web browser on iOS devices.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--eda3c5c4-d062-48d3-a78e-051f0c9d62f6", "created": "2023-02-28T20:31:55.191Z", "revoked": false, "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-02-28T20:31:55.191Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can access app notifications.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--d7ae7fb1-c363-4969-a4af-e2dd44a3c064", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:27:01.081Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) attempts to modify the device's system partition.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f3599919-c4d1-4f2e-92d4-b34a04e33132", "created": "2022-03-30T14:06:26.530Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Mobile security products can typically detect jailbroken or rooted devices. ", "modified": "2022-03-30T14:06:26.530Z", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--be7c3f83-b164-4d53-bfac-65f7437dabec", "created": "2023-03-20T18:54:36.266Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:54:36.266Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--ba5fc090-d420-4006-9dc0-57b75260b5f6", "type": "relationship", "created": "2020-07-15T20:20:59.296Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." } ], "modified": "2020-07-15T20:20:59.296Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can collect the device’s location.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--9f83d618-a42d-4797-b9fe-030affdbd13f", "created": "2023-01-18T19:46:45.399Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T18:49:35.020Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can hide and send SMS messages. [SharkBot](https://attack.mitre.org/software/S1055) can also change which application is the device’s default SMS handler.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--3efe7dcc-a572-45ac-aff2-2932206a0632", "created": "2019-08-07T15:57:13.441Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Kaspersky Riltok June 2019", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", "url": "https://securelist.com/mobile-banker-riltok/91374/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:52:06.559Z", "description": "[Riltok](https://attack.mitre.org/software/S0403) can access and upload the device's contact list to the command and control server.(Citation: Kaspersky Riltok June 2019)", "relationship_type": "uses", "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--433af79b-ce77-4a4c-84f7-6cdc34e70674", "created": "2023-01-18T19:56:01.025Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T18:48:53.396Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can intercept SMS messages.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--10e02179-0434-4d4b-86b4-5d9fbc5d5451", "type": "relationship", "created": "2019-10-10T15:03:27.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." } ], "modified": "2019-10-10T15:03:27.682Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) One encrypts data using XOR prior to exfiltration.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--65a24b75-4bb0-441a-8cb2-a34077b13f61", "type": "relationship", "created": "2020-01-27T17:05:58.201Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", "source_name": "Trend Micro Bouncing Golf 2019" } ], "modified": "2020-03-26T20:50:07.154Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can collect local accounts on the device, pictures, bookmarks/histories of the default browser, and files stored on the SD card. [GolfSpy](https://attack.mitre.org/software/S0421) can list image, audio, video, and other files stored on the device. [GolfSpy](https://attack.mitre.org/software/S0421) can copy arbitrary files from the device.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--173c0c41-c7e3-48e9-b785-d9e0232d85ca", "created": "2020-09-11T16:22:03.285Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:50:52.737Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect the device’s contact list.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--2de76a24-ec87-4808-b0d3-b84d318ac22c", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-XcodeGhost", "description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) can read and write data in the user’s clipboard.(Citation: PaloAlto-XcodeGhost)", "relationship_type": "uses", "source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9", "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--789cb76e-27b0-4762-a2f7-3ff32ce0762d", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[PJApps](https://attack.mitre.org/software/S0291) has the capability to collect and leak the victim's phone number, mobile device unique identifier (IMEI).(Citation: Lookout-EnterpriseApps)", "relationship_type": "uses", "source_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--e5e4567e-05a3-4d79-beab-191efc336473", "type": "relationship", "created": "2020-01-27T17:05:58.333Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", "source_name": "Trend Micro Bouncing Golf 2019" } ], "modified": "2020-03-26T20:50:07.266Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) encrypts data using a simple XOR operation with a pre-configured key prior to exfiltration.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a8dd6ed7-910d-4bae-a2a8-19f3f32c915c", "type": "relationship", "created": "2019-09-23T13:36:08.390Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", "source_name": "securelist rotexy 2018" } ], "modified": "2019-10-14T20:49:24.646Z", "description": "Starting in 2017, the [Rotexy](https://attack.mitre.org/software/S0411) DEX file was packed with garbage strings and/or operations.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--be39c012-7201-4757-8cd6-c855bc945a9e", "type": "relationship", "created": "2019-07-10T15:25:57.623Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "modified": "2019-08-12T17:30:07.568Z", "description": "[FinFisher](https://attack.mitre.org/software/S0182) comes packaged with ExynosAbuse, an Android exploit that can gain root privileges.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--be136fd1-6949-4de6-be37-6d76f8def41a", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "source_name": "PaloAlto-SpyDealer" } ], "modified": "2019-10-15T19:37:21.366Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests location data from victims.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--945db15a-b356-4e05-a6a0-9b24ca9aa348", "created": "2022-04-20T17:42:11.714Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Wandera-RedDrop", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.", "url": "https://www.wandera.com/reddrop-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:40:15.440Z", "description": "[RedDrop](https://attack.mitre.org/software/S0326) uses standard HTTP for exfiltration.(Citation: Wandera-RedDrop)", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--8936c564-b11a-4c9e-a32a-76e7d7e0c8b0", "type": "relationship", "created": "2020-04-24T15:12:11.185Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." } ], "modified": "2020-04-24T15:12:11.185Z", "description": "[Concipit1248](https://attack.mitre.org/software/S0426) requests permissions to use the device camera.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--92c9106d-a71b-4a4f-a9d4-ef692a0294eb", "type": "relationship", "created": "2020-06-26T14:55:13.261Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason EventBot", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020." } ], "modified": "2020-06-26T14:55:13.261Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) can collect system information such as OS version, device vendor, and the type of screen lock that is active on the device.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--fc816ddc-199d-47b0-93af-c81305d0919f", "type": "relationship", "created": "2020-06-02T14:32:31.767Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Volexity Insomnia", "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/", "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020." } ], "modified": "2020-06-02T14:32:31.767Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) has utilized malicious JavaScript and iframes to exploit WebKit running on vulnerable iOS 12 devices.(Citation: Volexity Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7cae8c80-c603-4352-a704-f3a2f4aa4a56", "created": "2019-09-03T20:08:00.737Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Talos Gustuff Apr 2019", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Gustuff](https://attack.mitre.org/software/S0406) abuses accessibility features to intercept all interactions between a user and the device.(Citation: Talos Gustuff Apr 2019)", "modified": "2022-04-15T17:39:08.123Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--eca02e5c-f8de-4436-a7dd-0f656c759a42", "type": "relationship", "created": "2021-10-01T14:42:48.913Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." } ], "modified": "2021-10-06T15:32:46.477Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can use its keylogger module to take screenshots of the area of the screen that the user tapped.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--59d463d3-3a41-4269-be9a-7a69f44eca78", "created": "2020-10-29T19:21:23.215Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "WeLiveSecurity AdDisplayAshas", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:03:47.434Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has communicated with the C2 server using HTTP.(Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ac31f650-4bd2-4bb6-b450-71e66db4888f", "created": "2022-03-30T19:28:55.980Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Security updates typically provide patches for vulnerabilities that could be abused by malicious applications.", "modified": "2022-03-30T19:28:55.980Z", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--91a4924f-2519-4662-91f2-b7ef715a459f", "created": "2023-03-20T18:59:55.756Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:59:55.756Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--e14db7d0-4053-4e0a-8b43-b950133e6e36", "created": "2023-03-20T18:41:31.300Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:41:31.300Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--7258542e-029b-45b9-be69-6e76d9c93b35", "created": "2020-09-14T13:35:45.886Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "ESET-Twitoor", "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.", "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:43:03.565Z", "description": "[Twitoor](https://attack.mitre.org/software/S0302) can hide its presence on the system.(Citation: ESET-Twitoor)", "relationship_type": "uses", "source_ref": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b5e8cef4-e8a1-484f-baae-cf12b26e6070", "created": "2020-12-18T20:14:47.302Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has used Firebase for C2 communication.(Citation: WhiteOps TERRACOTTA)", "modified": "2022-04-18T19:18:56.475Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6086e1e2-1b39-4ff2-910e-4a4eb86d57b7", "created": "2017-12-14T16:46:06.044Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Lookout-BrainTest", "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/", "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[BrainTest](https://attack.mitre.org/software/S0293) provided capabilities that allowed developers to use compromised devices to post positive reviews on their own malicious applications as well as download other malicious applications they had submitted to the Play Store.(Citation: Lookout-BrainTest)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--242dc659-c205-4e9e-95f9-14fee66195af", "created": "2022-04-01T15:29:36.082Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Configuration of per-app VPN policies instead of device-wide VPN can restrict access to internal enterprise resource access via VPN to only enterprise-approved applications", "modified": "2022-04-01T15:29:36.082Z", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--7ec3ee9a-6710-46ed-aecb-c0f2a64739ad", "type": "relationship", "created": "2020-11-20T16:37:28.429Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec GoldenCup", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020." } ], "modified": "2020-11-20T16:37:28.429Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect images, videos, and attacker-specified files.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--3dff770d-9627-4647-b945-7f24a97b2273", "type": "relationship", "created": "2019-09-15T15:26:22.926Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2020-06-24T15:02:13.533Z", "description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a1023a75-31cc-420a-9c59-b440f7fb27e6", "type": "relationship", "created": "2019-11-21T16:42:48.501Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/", "source_name": "SecureList - ViceLeaker 2019" }, { "source_name": "Bitdefender - Triout 2018", "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/", "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020." } ], "modified": "2020-01-21T14:20:50.492Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can collect location information, including GPS coordinates.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ad76b0ad-fa76-4d56-8a6e-8818bbc6509e", "created": "2022-03-30T18:07:07.306Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "On iOS, the `allowEnterpriseAppTrust` and `allowEnterpriseAppTrustModification` configuration profile restrictions can be used to prevent users from installing apps signed using enterprise distribution keys. ", "modified": "2022-03-30T18:07:07.306Z", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--c58a26af-cc4c-41a2-b884-9a4fa8a2ad5c", "type": "relationship", "created": "2019-09-04T15:38:56.946Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "FlexiSpy-Features", "url": "https://www.flexispy.com/en/features-overview.htm", "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019." } ], "modified": "2019-09-10T14:59:26.136Z", "description": " [FlexiSpy](https://attack.mitre.org/software/S0408) can retrieve a list of installed applications.(Citation: FlexiSpy-Features) ", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--13efc415-5e17-4a16-81c2-64e74815907f", "created": "2017-12-14T16:46:06.044Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "PaloAlto-XcodeGhost", "url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/", "description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) can prompt a fake alert dialog to phish user credentials.(Citation: PaloAlto-XcodeGhost)", "modified": "2022-04-12T10:01:44.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--d22d309b-ab00-4f17-b6bf-7706f499cc5e", "type": "relationship", "created": "2019-09-03T19:45:48.489Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." } ], "modified": "2019-09-11T13:25:19.128Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can extract the GPS coordinates of the device.(Citation: SWB Exodus March 2019)", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--fada5ba5-7449-4878-b555-82f225473c8b", "created": "2022-03-30T19:28:42.179Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Attestation can detect unauthorized modifications to devices. Mobile security software can then use this information and take appropriate mitigation action. ", "modified": "2022-03-30T19:28:42.179Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--271a311f-71bc-4558-a314-0edfbec44b64", "type": "relationship", "created": "2019-11-21T16:42:48.495Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList - ViceLeaker 2019", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/", "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019." } ], "modified": "2019-11-21T16:42:48.495Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) collects device information, including the device model and OS version.(Citation: SecureList - ViceLeaker 2019)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--085f8397-0233-42d7-855e-3dbd709f2eca", "created": "2023-01-18T21:39:27.823Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T18:30:43.093Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use the Android “Direct Reply” feature to spread the malware to other devices. It can also download the full version of the malware after initial device compromise.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f84355c2-b829-4324-821a-b5148734bb6b", "created": "2022-04-01T15:21:35.655Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to microphone or audio output. ", "modified": "2022-04-01T15:21:35.655Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--e84ad4b0-9f7a-48a5-89ae-33804b11eb56", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:12:22.002Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses contact list information.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a92a805e-d5f5-4e94-8592-c253e03e4476", "created": "2022-03-31T19:51:15.415Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "Android Package Visibility", "url": "https://developer.android.com/training/package-visibility", "description": "Google. (n.d.). Package visibility filtering on Android. Retrieved April 11, 2022." } ], "x_mitre_deprecated": false, "revoked": false, "description": "Android 11 introduced privacy enhancements to package visibility, filtering results that are returned from the package manager. iOS 12 removed the private API that could previously be used to list installed applications on non-app store applications.(Citation: Android Package Visibility)", "modified": "2022-04-11T19:19:34.658Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--9398bf9d-be77-4ac2-acea-893152cafd16", "created": "2022-03-30T14:43:46.034Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-30T14:43:46.034Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--a95fe853-d1d1-47dc-a776-b905daacfe32", "created": "2020-06-26T20:16:32.181Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "ESET DEFENSOR ID", "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.", "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:11:53.609Z", "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) has used Firebase Cloud Messaging for C2.(Citation: ESET DEFENSOR ID) ", "relationship_type": "uses", "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--66fb8a34-9d48-4599-a56e-19b057380030", "created": "2023-03-20T18:46:08.304Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:46:08.304Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--e9d5992e-04ef-4835-87df-cf6434dcabbc", "created": "2023-03-20T18:49:38.917Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:49:38.917Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--146275c0-b6dd-4700-bded-bc361a67d023", "type": "relationship", "created": "2020-09-14T14:13:45.253Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout eSurv", "url": "https://blog.lookout.com/esurv-research", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020." } ], "modified": "2020-09-14T14:13:45.253Z", "description": "[eSurv](https://attack.mitre.org/software/S0507) can record audio.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--3abc80ad-4ea0-4e91-a170-f040469c2083", "type": "relationship", "created": "2020-07-20T13:27:33.483Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." } ], "modified": "2020-08-10T21:57:54.688Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can take photos and videos.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f622a267-7a58-4082-a3f5-10e9bb549a5e", "created": "2022-03-30T20:43:31.249Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-30T20:43:31.249Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--b30fa851-75cf-46ac-aa1b-cfa8b7f36545", "created": "2019-09-23T13:36:08.429Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T16:56:23.365Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) processes incoming SMS messages by filtering based on phone numbers, keywords, and regular expressions, focusing primarily on banks, payment systems, and mobile network operators. [Rotexy](https://attack.mitre.org/software/S0411) can also send a list of all SMS messages on the device to the command and control server.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--f6a451e8-2125-4bbe-be52-e682523cd169", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "source_name": "PaloAlto-SpyDealer" } ], "modified": "2019-10-15T19:37:21.273Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests the device phone number, IMEI, and IMSI.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--36298fd6-d909-4490-8a04-095aef9ffafe", "type": "relationship", "created": "2020-11-20T15:54:07.747Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec GoldenCup", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020." } ], "modified": "2020-11-20T15:54:07.747Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can record audio from the microphone and phone calls.(Citation: Symantec GoldenCup) ", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--2caddf52-2bc2-4f75-90bb-0f292952ada6", "created": "2023-01-19T18:07:26.323Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-29T21:13:32.345Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) can utilize WebViews to display fake authentication pages that capture user credentials.(Citation: trendmicro_tianyspy_0122) ", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--ccfffa97-17fd-4826-9a16-c9d8174fb8ac", "type": "relationship", "created": "2020-01-27T17:05:58.237Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", "source_name": "Trend Micro Bouncing Golf 2019" } ], "modified": "2020-01-27T17:05:58.237Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain the device’s battery level, network operator, connection information, sensor information, and information about the device’s storage and memory.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--83991b5c-59b9-4fe5-9ef2-39c6ddc8b835", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky-WUC", "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" } ], "modified": "2019-10-15T19:54:10.285Z", "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) gathered system information including phone number, OS version, phone model, and SDK version.(Citation: Kaspersky-WUC)", "relationship_type": "uses", "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--5088a10e-03d2-4643-8df8-b7b601c2cc24", "type": "relationship", "created": "2020-01-27T17:05:58.267Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", "source_name": "Trend Micro Bouncing Golf 2019" } ], "modified": "2020-01-27T17:05:58.267Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can track the device’s location.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--07036963-6f5e-4eb5-9b20-3f81dd582c85", "type": "relationship", "created": "2020-11-20T16:37:28.547Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec GoldenCup", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020." } ], "modified": "2020-11-20T16:37:28.547Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect various pieces of device information, such as serial number and product information.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--4f6f4def-e76d-4d1b-9416-b6543e7dbc54", "type": "relationship", "created": "2021-10-01T14:42:48.744Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." } ], "modified": "2021-10-01T14:42:48.744Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can record audio.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--8a55c28d-9cdd-4b6f-91e7-bcb3b05f6724", "created": "2022-04-01T15:02:21.344Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Device attestation can often detect jailbroken devices. ", "modified": "2022-04-01T15:02:21.344Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--f9de9819-b131-459e-948b-bdf3fe6f1ef0", "type": "relationship", "created": "2020-12-24T21:55:56.686Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-24T21:55:56.686Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed common system information.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--ff3aa49b-c054-44ec-89da-6c67d4995193", "created": "2023-03-20T18:44:44.257Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:44:44.257Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--919a13bc-74be-4660-af63-454abee92635", "type": "relationship", "created": "2019-03-11T15:13:40.408Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "Karl Dominguez. (2011, September 27). ANDROIDOS_ANSERVER.A. Retrieved November 30, 2018.", "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROIDOS_ANSERVER.A", "source_name": "TrendMicro-Anserver2" } ], "modified": "2019-08-05T20:05:25.571Z", "description": "\n[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) gathers the device IMEI and IMSI.(Citation: TrendMicro-Anserver2)", "relationship_type": "uses", "source_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--83d95d05-7545-4295-894b-f33a2ba1063b", "created": "2020-12-17T20:15:22.492Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:47:45.408Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) has registered several broadcast receivers.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--8c50e9e7-e13c-4814-98d0-088d73b10005", "created": "2023-03-03T16:21:24.531Z", "revoked": false, "external_references": [ { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-03T16:21:24.531Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has modified Safari’s default search engine, bookmarked websites, opened pages, and accessed contacts and authorization tokens of the IM program “QQ” on infected devices.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--f517a7ce-dfdc-4f42-84c1-fef136e2ea19", "created": "2020-09-24T15:26:15.607Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:41:01.468Z", "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) has exfiltrated data using HTTP requests.(Citation: TrendMicro-XLoader-FakeSpy)", "relationship_type": "uses", "source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--26b1025b-5c08-4b6e-8c50-7d2baf29e7b7", "created": "2022-04-01T18:45:11.299Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Recent versions of Android modified how device administrator applications are uninstalled, making it easier for the user to remove them.", "modified": "2022-04-01T18:45:11.299Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--78cc0d6d-6347-45a4-a18c-ca76150aa7a9", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-BrainTest", "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[BrainTest](https://attack.mitre.org/software/S0293) stores a secondary Android app package (APK) in its assets directory in encrypted form, and decrypts the payload at runtime.(Citation: Lookout-BrainTest)", "relationship_type": "uses", "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--c7f876d4-99f2-41ac-993c-57a3f2b4e0eb", "created": "2023-02-06T19:00:42.449Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T17:22:43.518Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can access a device's location.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--020a1aaa-a444-4f3c-a08b-f1369be276f2", "type": "relationship", "created": "2020-09-15T15:18:12.398Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason FakeSpy", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020." } ], "modified": "2020-09-15T15:18:12.398Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect device networking information, including phone number, IMEI, and IMSI.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--7ded1b79-cf7c-435d-b6ed-2c8872f9393f", "type": "relationship", "created": "2020-12-24T22:04:28.005Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-24T22:04:28.005Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has taken photos with the device camera.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--31330d32-50c8-4499-91fb-e1dcffa9ea8f", "created": "2022-03-30T18:14:04.881Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "Symantec-iOSProfile2", "url": "https://www.symantec.com/connect/blogs/apple-ios-103-finally-battles-malicious-profiles", "description": "Brian Duckering. (2017, March 27). Apple iOS 10.3 Finally Battles Malicious Profiles. Retrieved September 24, 2018." }, { "source_name": "Android-TrustedCA", "url": "https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html", "description": "Chad Brubaker. (2016, July 7). Changes to Trusted Certificate Authorities in Android Nougat. Retrieved September 24, 2018." } ], "x_mitre_deprecated": false, "revoked": false, "description": "Mobile OSes have implemented measures to make it more difficult to trick users into installing untrusted certificates and configurations. iOS 10.3 and higher add an additional step for users to install new trusted CA certificates and configuration profiles. On Android, apps that target compatibility with Android 7 and higher (API Level 24) default to only trusting CA certificates that are bundled with the operating system, not CA certificates that are added by the user or administrator, hence decreasing their susceptibility to successful adversary-in-the-middle attack.(Citation: Symantec-iOSProfile2)(Citation: Android-TrustedCA)", "modified": "2022-03-30T18:14:04.881Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--ce5f506a-8fc9-40a2-a78e-96796c896f1b", "created": "2023-03-20T15:56:47.307Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T15:56:47.307Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--40f30137-4db9-4596-b4c7-a12f1497fd92", "created": "2020-11-10T17:08:35.831Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has performed rudimentary SSL certificate validation to verify C2 server authenticity before establishing a SSL connection.(Citation: Lookout Uyghur Campaign)", "modified": "2022-04-18T16:02:42.303Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--eb1eeb37-37a8-47b6-aff8-9703735a4d93", "type": "relationship", "created": "2020-09-11T15:50:18.937Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html", "source_name": "ThreatFabric Ginp" } ], "modified": "2020-09-11T15:50:18.937Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) can send SMS messages.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--496976ef-4a0c-4782-95e7-231bd44df162", "type": "relationship", "created": "2020-12-14T15:02:35.295Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Securelist Asacub", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/", "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020." } ], "modified": "2020-12-14T15:02:35.295Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) can collect various pieces of device information, including device model and OS version.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--85c7e956-3ce5-4495-b52e-385ae2ee4f9b", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint-Charger", "description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.", "url": "http://blog.checkpoint.com/2017/01/24/charger-malware/" } ], "modified": "2019-10-09T14:51:42.845Z", "description": "[Charger](https://attack.mitre.org/software/S0323) checks the local settings of the device and does not run its malicious logic if the device is located in Ukraine, Russia, or Belarus.(Citation: CheckPoint-Charger)", "relationship_type": "uses", "source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ca8c38e6-8343-4f5e-929d-2759a0d49d59", "created": "2020-11-24T18:18:33.743Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Threat Fabric Exobot", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Exobot](https://attack.mitre.org/software/S0522) has used web injects to capture users’ credentials.(Citation: Threat Fabric Exobot)", "modified": "2022-04-15T17:39:22.154Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--8d71e646-74d1-4d62-8989-2ad4ddf7a67b", "created": "2023-02-06T19:47:08.535Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "cleafy_sova_1122", "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-30T15:13:44.210Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) has code to encrypt device data with AES.(Citation: cleafy_sova_1122)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c90bfd4c-3c7e-4528-b5f6-574ef29ecdc9", "created": "2022-03-28T19:32:05.234Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Application developers should be cautious when selecting third-party libraries to integrate into their application.", "modified": "2022-03-28T19:32:05.234Z", "relationship_type": "mitigates", "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "target_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--e9c5deb9-30d4-4bc3-98ca-6089d4b74b1e", "type": "relationship", "created": "2020-12-24T21:55:56.745Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-24T21:55:56.745Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed the list of installed apps.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a1fac829-275a-409a-9060-e7bd7c63057e", "type": "relationship", "created": "2020-12-18T20:14:47.375Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." } ], "modified": "2020-12-18T20:14:47.375Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) can obtain a list of installed apps.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--0d305e1e-df8f-4028-bf6f-1d7fed9e6184", "created": "2022-03-30T17:53:56.805Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-30T17:53:56.805Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "target_ref": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--23ecc134-0623-45ec-b8b5-52516483bda1", "created": "2023-04-14T14:10:04.452Z", "revoked": false, "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-14T14:10:04.452Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) has used code abstraction and anti-emulation checks to potentially avoid running while under analysis.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--82f51cc6-6ce4-459e-b598-7b2b77983469", "created": "2020-04-24T15:06:33.526Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:28:18.530Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect SMS messages.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d6be8665-afbb-4be5-a56a-493af01b120a", "created": "2022-03-30T15:52:29.935Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Mobile security products can potentially detect jailbroken or rooted devices.", "modified": "2022-03-30T15:52:29.935Z", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--62623afc-8222-4d59-b5d0-7bc1ccc7fadc", "created": "2023-02-06T19:41:40.104Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-29T21:35:04.072Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can silently intercept and manipulate notifications. [S.O.V.A.](https://attack.mitre.org/software/S1062) can also inject cookies via push notifications.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--89565753-23c4-422d-a9ba-39f4101cd819", "type": "relationship", "created": "2020-11-20T16:37:28.485Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec GoldenCup", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020." } ], "modified": "2020-11-20T16:37:28.485Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can track the device’s location.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--abd2e863-4bd3-4686-b2aa-f8a097a41c99", "created": "2017-10-25T14:48:53.742Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Elcomsoft-iOSRestricted", "url": "https://blog.elcomsoft.com/2018/09/ios-12-enhances-usb-restricted-mode/", "description": "Oleg Afonin. (2018, September 20). iOS 12 Enhances USB Restricted Mode. Retrieved September 21, 2018." } ], "x_mitre_deprecated": false, "revoked": false, "description": "iOS 11.4.1 and higher introduce USB Restricted Mode, which disables data access through the device's charging port under certain conditions (making the port only usable for power), likely preventing this technique from working.(Citation: Elcomsoft-iOSRestricted)", "modified": "2022-04-01T15:35:28.360Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--b0625604-e4c4-402b-b191-f43137d38d99", "created": "2020-11-20T15:44:57.481Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:29:50.160Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect sent and received SMS messages.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6885280e-5423-422a-94f1-e91d557e043e", "created": "2018-10-17T00:14:20.652Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "PaloAlto-XcodeGhost1", "url": "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/", "description": "Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016." }, { "source_name": "PaloAlto-XcodeGhost", "url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/", "description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) was injected into apps by a modified version of Xcode (Apple's software development tool).(Citation: PaloAlto-XcodeGhost1)(Citation: PaloAlto-XcodeGhost)", "modified": "2022-04-15T15:10:16.607Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9", "target_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--58c857f8-4f40-48e0-b3ac-41944d82b576", "created": "2020-12-24T22:04:27.991Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:54:02.223Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has collected a list of contacts.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--6ce36374-2ff6-4b41-8493-148416153232", "type": "relationship", "created": "2020-07-20T13:27:33.443Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." } ], "modified": "2020-08-10T21:57:54.526Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can collect user account, photos, browser history, and arbitrary files.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--991ef2f2-c196-4d5d-bd29-504ea25831f4", "type": "relationship", "created": "2021-10-01T14:42:48.815Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." } ], "modified": "2021-10-01T14:42:48.815Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can record from the device’s camera.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--520c7112-9768-42c5-8917-1950efd182f9", "created": "2023-02-06T19:38:45.607Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-29T21:33:30.155Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can use keylogging to capture user input.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--046acda0-91de-4385-bcfb-157570d8e51d", "created": "2023-03-30T15:25:00.442Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "cleafy_sova_1122", "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-30T15:26:46.611Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can search for installed applications that match a list of targets.(Citation: cleafy_sova_1122)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--42f8d024-64a7-4bbf-8c05-2b0c7e667396", "type": "relationship", "created": "2020-12-14T15:02:35.304Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Securelist Asacub", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/", "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020." } ], "modified": "2020-12-14T15:02:35.304Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) has stored encrypted strings in the APK file.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--9366529d-fba9-4ef6-b4ee-b6b41aa3b18c", "type": "relationship", "created": "2019-07-10T15:35:43.631Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "source_name": "Lookout Dark Caracal Jan 2018" } ], "modified": "2019-08-09T18:06:11.741Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) queries the device for metadata, such as device ID, OS version, and the number of cameras.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--f776a4da-0fa6-414c-a705-e9e8b419e056", "type": "relationship", "created": "2020-06-26T15:32:25.058Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Cerberus", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020." }, { "source_name": "CheckPoint Cerberus", "url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/", "description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020." } ], "modified": "2020-06-26T15:32:25.058Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can inject input to grant itself additional permissions without user interaction and to prevent application removal.(Citation: Threat Fabric Cerberus)(Citation: CheckPoint Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--8b27a786-b4d9-4014-a249-3725442f9f1d", "type": "relationship", "created": "2021-01-05T20:16:20.499Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." } ], "modified": "2021-01-05T20:16:20.499Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can obtain a list of installed applications.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--1b7be26d-cb1d-497b-94bf-a34f11ed66c9", "type": "relationship", "created": "2020-09-11T14:54:16.548Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "url": "https://blog.lookout.com/desert-scorpion-google-play", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." } ], "modified": "2020-09-11T14:54:16.548Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can obtain a list of installed applications.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--ac53e382-a140-4bbf-a59d-db3fe21acfaa", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2018-10-17T00:14:20.652Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3ebcd3d8-dd8e-4cc9-8087-ce9e93df6f56", "created": "2017-10-25T14:48:53.738Z", "x_mitre_version": "1.0", "x_mitre_deprecated": false, "revoked": false, "description": "Android 9 introduced a new security policy that prevents applications from reading or writing data to other applications’ internal storage directories, regardless of permissions. ", "modified": "2022-04-01T13:51:48.934Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--7017085c-c612-48b2-b655-e18d7822d0e7", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:39:48.895Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests phone call history from victims.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--4bdda427-2fff-428d-ba19-4bee5d2508e1", "type": "relationship", "created": "2021-02-08T16:36:20.801Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "BlackBerry Bahamut", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021." } ], "modified": "2021-05-24T13:16:56.571Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included video recording in the malicious apps deployed as part of Operation BULL.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c81757a7-16b1-4b48-ae52-3d375f533dfd", "created": "2022-04-01T15:03:02.553Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-01T15:03:02.553Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--eee008fa-a46f-4542-93e3-8fe5f949130f", "created": "2023-01-19T18:06:57.242Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-29T21:21:37.086Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) can check to see if WiFi is enabled.(Citation: trendmicro_tianyspy_0122) ", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--9d264e84-27b2-4867-82c8-55486a969d7c", "type": "relationship", "created": "2020-12-17T20:15:22.489Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." } ], "modified": "2020-12-17T20:15:22.489Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can obtain a list of running processes.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--e2ee6825-43c2-441f-ba96-404a330a9059", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "CheckPoint-Charger", "description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.", "url": "http://blog.checkpoint.com/2017/01/24/charger-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T19:54:51.590Z", "description": "[Charger](https://attack.mitre.org/software/S0323) steals contacts from the victim user's device.(Citation: CheckPoint-Charger)", "relationship_type": "uses", "source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6c0105f3-e919-499d-b080-d127394d2837", "created": "2022-03-30T18:14:23.210Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Typically, insecure or malicious configuration settings are not installed without the user's consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning). ", "modified": "2022-03-30T18:14:23.210Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--92879f0e-d1db-4407-9cc6-c1dbcc47caea", "created": "2019-10-18T14:52:53.193Z", "x_mitre_version": "1.0", "x_mitre_deprecated": false, "revoked": false, "description": "Device attestation could detect devices with unauthorized or unsafe modifications. ", "modified": "2022-03-30T20:07:50.094Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--8c034c66-18ad-4b30-9f17-ed574c10918f", "created": "2023-03-20T18:56:20.203Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:56:20.203Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--fa13936f-9b9d-4b48-a33f-81044f6cdedb", "created": "2020-09-15T15:18:12.466Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:17:07.033Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) exfiltrates data using HTTP requests.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--05c57e75-04b8-4bf6-8022-2e89f74e4b76", "created": "2020-12-17T20:15:22.441Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:35:41.700Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) has collected all outgoing phone numbers that start with “86”.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--30ab9ce7-5369-402a-94ee-f8452642acb9", "created": "2022-03-30T19:50:37.739Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-30T19:50:37.739Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--34351abd-1f58-420a-a893-ad822839815d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:33:36.294Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) captures call logs.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--1fdad4b5-18a1-4fbf-81ce-861feaf2bbdd", "type": "relationship", "created": "2020-04-08T18:55:29.205Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cofense Anubis", "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." }, { "source_name": "Trend Micro Anubis", "url": "https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html", "description": "K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021." } ], "modified": "2021-01-20T16:01:19.565Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can exfiltrate files encrypted with the ransomware module from the device and can modify external storage.(Citation: Cofense Anubis)(Citation: Trend Micro Anubis) ", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--9e458d77-c856-4b02-82a7-50947b232dc3", "type": "relationship", "created": "2021-10-01T14:42:49.183Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." } ], "modified": "2021-10-06T15:32:46.533Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can download a payload or updates from either its C2 server or email attachments in the adversary’s inbox.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--f989562f-41a8-46d3-94ba-fca7269ae592", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "source_name": "Lookout-StealthMango" } ], "modified": "2019-08-09T17:59:49.072Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) is delivered via a a watering hole website that mimics the third-party Android app store APKMonk. In at least one case, the watering hole URL was distributed through Facebook Messenger.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--6d2c7743-fc75-4524-b217-13867ca1dd10", "created": "2019-09-03T20:08:00.649Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:32:04.659Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) can collect the contact list.(Citation: Talos Gustuff Apr 2019) ", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--3644d1dd-8d9f-4a89-a618-c6b22c2a1a96", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Wandera-RedDrop", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.", "url": "https://www.wandera.com/reddrop-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:01:48.463Z", "description": "[RedDrop](https://attack.mitre.org/software/S0326) uses HTTP requests for C2 communication.(Citation: Wandera-RedDrop)", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--3f973c3c-45f8-432a-9859-e8749f2e7418", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "modified": "2019-08-09T17:52:31.848Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses sensitive data in files, such as messages stored by the WhatsApp, Facebook, and Twitter applications. It also has the ability to access arbitrary filenames and retrieve directory listings.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--7793a066-d72b-4a60-9579-e16369ea7185", "created": "2023-03-20T18:57:55.221Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:57:55.221Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b98fa6ef-a5f2-4867-8108-8daf8534cc3c", "created": "2022-04-01T16:51:20.688Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Users should scrutinize every device administration permission request. If the request is not expected or the user does not recognize the application, the application should be uninstalled immediately.", "modified": "2022-04-01T16:51:20.688Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--d84604bc-2314-4340-b9c1-b1265c0f6c37", "type": "relationship", "created": "2020-05-07T15:24:49.583Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2020-05-27T13:23:34.544Z", "description": "Many vulnerabilities related to injecting code into existing applications have been patched in previous Android releases.", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--0a2e4b01-e78f-4c05-b157-c6714d34fddb", "type": "relationship", "created": "2020-12-18T20:14:47.412Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." } ], "modified": "2020-12-18T20:14:47.412Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has included native modules.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--8bc0abc2-a413-4c05-b2b8-2a92d9cc5556", "created": "2019-09-04T15:38:56.678Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "FlexiSpy-Features", "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.", "url": "https://www.flexispy.com/en/features-overview.htm" }, { "source_name": "FortiGuard-FlexiSpy", "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:44:31.870Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) is capable of hiding SuperSU's icon if it is installed and visible.(Citation: FortiGuard-FlexiSpy) [FlexiSpy](https://attack.mitre.org/software/S0408) can also hide its own icon to make detection and the uninstallation process more difficult.(Citation: FlexiSpy-Features)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--5012c647-9b58-4a4f-b64f-468c9b76a60c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Zscaler-SpyNote", "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:53:41.561Z", "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can view contacts.(Citation: Zscaler-SpyNote)", "relationship_type": "uses", "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--d562ed4d-ac4d-476b-872e-9e228c580889", "type": "relationship", "created": "2020-11-20T16:37:28.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec GoldenCup", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020." } ], "modified": "2020-11-20T16:37:28.506Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can obtain a list of installed applications.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--eceeb39e-887c-4a9b-a93b-a6fd768e455a", "type": "relationship", "created": "2020-07-15T20:20:59.186Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." } ], "modified": "2020-07-15T20:20:59.186Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can access device configuration information and status, including Android version, battery level, device model, country, and SIM operator.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--69bb264a-3f44-4132-9248-dd80a9f5efa2", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "CheckPoint-Charger", "description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.", "url": "http://blog.checkpoint.com/2017/01/24/charger-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:17:53.923Z", "description": "[Charger](https://attack.mitre.org/software/S0323) locks the device if it is granted admin permissions, displaying a message demanding a ransom payment.(Citation: CheckPoint-Charger)", "relationship_type": "uses", "source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--cd6a9777-a8fd-43ca-91dc-cafc7d4b7df3", "type": "relationship", "created": "2020-01-27T17:05:58.215Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", "source_name": "Trend Micro Bouncing Golf 2019" } ], "modified": "2020-01-27T17:05:58.215Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain a list of running processes.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--e99fd1c9-441f-41bc-83a1-e7bed8f2d7fb", "type": "relationship", "created": "2020-12-17T20:15:22.444Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." } ], "modified": "2020-12-17T20:15:22.444Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can load additional Dalvik code while running.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--6c859d6b-28b1-409d-90ea-d4eba64edf82", "type": "relationship", "created": "2020-09-11T16:22:03.301Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout ViperRAT", "url": "https://blog.lookout.com/viperrat-mobile-apt", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020." } ], "modified": "2020-09-11T16:22:03.301Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect system information, including brand, manufacturer, and serial number.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--32be51e2-f74d-441f-aa0d-952697a76494", "type": "relationship", "created": "2019-09-04T15:38:56.774Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "FortiGuard-FlexiSpy", "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf", "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019." } ], "modified": "2019-10-14T18:08:28.599Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) uses a `FileObserver` object to monitor the Skype and WeChat database file and shared preferences to retrieve chat messages, account information, and profile pictures of the account owner and chat participants. [FlexiSpy](https://attack.mitre.org/software/S0408) can also spy on popular applications, including Facebook, Hangouts, Hike, Instagram, Kik, Line, QQ, Snapchat, Telegram, Tinder, Viber, and WhatsApp.(Citation: FortiGuard-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--0d2d9c6e-6ac8-4cda-bfa4-cedf26a1760a", "type": "relationship", "created": "2021-02-17T20:43:52.333Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout FrozenCell", "url": "https://blog.lookout.com/frozencell-mobile-threat", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020." } ], "modified": "2021-02-17T20:43:52.333Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has used an online cell tower geolocation service to track targets.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--0972d3cf-717e-4ed2-a89d-9cbe61081956", "created": "2020-11-24T17:55:12.873Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:21:56.899Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) has communicated with the C2 using HTTP requests or WebSockets as a backup.(Citation: Talos GPlayed) ", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--0f949bc5-9f6a-4ec8-a29a-87e309aa08a2", "created": "2020-12-24T22:04:28.027Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:20:48.937Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has modified or configured proxy information.(Citation: Lookout Uyghur Campaign) ", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--c00031dd-0466-4fd2-9724-ab1c04232bad", "created": "2023-03-20T18:44:40.722Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:44:40.722Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--86afe8cc-6d6d-4952-8fee-619e95d53a7f", "created": "2022-04-06T13:39:39.883Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-06T13:39:39.883Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", "target_ref": "attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--73d22490-4043-42d7-ad25-74e4a642bf6a", "created": "2023-03-20T18:41:45.186Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:41:45.186Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--e9cbc901-38cb-4895-9dfb-7a4fe10ba6d7", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://www.wandera.com/reddrop-malware/", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.", "source_name": "Wandera-RedDrop" } ], "modified": "2019-10-15T19:56:13.162Z", "description": "[RedDrop](https://attack.mitre.org/software/S0326) exfiltrates details of the victim device operating system and manufacturer.(Citation: Wandera-RedDrop)", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--9951d8c0-d210-4776-808b-421b613f244f", "created": "2019-09-23T13:36:08.463Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T16:55:41.638Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) hides its icon after first launch.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--aa5877fd-ef7d-435e-86af-c427f086b3c5", "created": "2019-08-08T18:47:57.655Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Android 10 Privacy Changes", "url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data", "description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "Android 10 introduced changes to prevent applications from accessing clipboard data if they are not in the foreground or set as the device’s default IME.(Citation: Android 10 Privacy Changes) ", "modified": "2022-04-01T16:35:38.189Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--734fa2bf-17af-4e54-8d83-4cf9759e4ba9", "type": "relationship", "created": "2020-09-11T15:52:12.520Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." } ], "modified": "2020-09-11T15:52:12.520Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can block, forward, hide, and send SMS messages.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--603df08f-22d3-4418-9151-4b3a3c9c7c24", "created": "2023-03-15T16:40:37.553Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-15T16:40:37.553Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--23a67f24-a8eb-4e31-acf1-11cb5e9f88b2", "created": "2023-01-18T19:57:13.265Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T18:43:35.115Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use Accessibility Services to detect which process is in the foreground.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--97158eda-5092-4939-8b5c-1ef5ab918089", "type": "relationship", "created": "2020-04-24T15:12:11.189Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." } ], "modified": "2020-04-24T15:12:11.189Z", "description": "[Concipit1248](https://attack.mitre.org/software/S0426) can collect device photos.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--26bf27dc-f65d-477d-abbd-f4c3ce475c51", "created": "2022-04-01T12:37:17.515Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "OS feature updates often enhance security and privacy around permissions. ", "modified": "2022-04-01T12:37:17.515Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--ab18ee61-f94a-411c-9893-941714ce713e", "created": "2023-03-20T18:44:26.642Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:44:26.642Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--bb34aff0-9af9-463b-a1aa-7f5ec7b84630", "created": "2020-07-15T20:20:59.300Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Bitdefender Mandrake", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Mandrake](https://attack.mitre.org/software/S0485) can manipulate visual components to trick the user into granting dangerous permissions, and can use phishing overlays and JavaScript injection to capture credentials.(Citation: Bitdefender Mandrake)", "modified": "2022-04-12T10:01:44.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--62cc60d9-1581-4a0f-b7e2-a18d386511e6", "created": "2022-03-30T13:48:43.977Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Mobile security products can typically detect jailbroken or rooted devices. ", "modified": "2022-03-30T13:48:43.977Z", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a8bf6bbd-88f0-4725-ba4f-3b9317dca388", "created": "2022-03-30T20:36:18.656Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Attestation can typically detect rooted devices. For MDM-enrolled devices, action can be taken if a device fails an attestation check. ", "modified": "2022-03-30T20:36:18.656Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--276bfd69-33cc-4665-8aa7-72bed65d01f9", "created": "2023-02-28T21:42:52.037Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-29T21:25:22.438Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can request location permissions.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--418168ad-fee9-42c8-ac27-11f7472a5f86", "created": "2019-09-03T19:45:48.498Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.", "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:09:08.738Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) One checks in with the command and control server using HTTP POST requests.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--557e6d99-d7d8-4e2f-bc01-66b0754de089", "created": "2022-03-28T19:41:27.610Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Application developers should be cautious when selecting third-party libraries to integrate into their application.", "modified": "2022-03-28T19:41:27.610Z", "relationship_type": "mitigates", "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--6b41d649-bcd0-4427-baa1-15a145bace6e", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "source_name": "PaloAlto-SpyDealer" } ], "modified": "2019-08-09T17:56:05.642Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) downloads and executes root exploits from a remote server.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--f31490e8-ef81-40d5-bba9-24ca580d2ee6", "created": "2020-01-21T14:20:50.409Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Bitdefender - Triout 2018", "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.", "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:46:20.857Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) includes code to hide its icon, but the function does not appear to be called in an analyzed version of the software.(Citation: Bitdefender - Triout 2018)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3272111a-f31d-47d5-a266-1749255b5016", "created": "2019-09-23T13:36:08.335Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "securelist rotexy 2018", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Rotexy](https://attack.mitre.org/software/S0411) can be controlled through SMS messages.(Citation: securelist rotexy 2018)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--2a472430-c30e-4877-8933-2e75f1de9a01", "created": "2022-03-30T14:00:45.120Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-30T14:00:45.120Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--e083305c-49e7-4c87-aae8-9689213bffbe", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--2e797961-356f-4763-bdb2-0ebc2ad4c8b0", "created": "2019-09-04T20:01:42.722Z", "x_mitre_version": "1.0", "x_mitre_deprecated": false, "revoked": false, "description": "Enterprise policies should block access to the Android Debug Bridge (ADB) by preventing users from enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development). An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features. ", "modified": "2022-04-01T13:32:19.919Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7defdb15-65d1-40ca-a9da-5c0484892484", "created": "2020-04-24T17:46:31.616Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[TrickMo](https://attack.mitre.org/software/S0427) can be controlled via encrypted SMS message.(Citation: SecurityIntelligence TrickMo)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--7ee49e53-e75d-4e65-a71f-79919ebb08f4", "type": "relationship", "created": "2020-04-08T15:41:19.340Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cofense Anubis", "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." } ], "modified": "2020-04-08T18:55:29.238Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can use its ransomware module to encrypt device data and hold it for ransom.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a25d58af-dbb3-4025-b91d-898c6adffcb3", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Gooligan Citation", "description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.", "url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/" } ], "modified": "2019-10-10T15:18:51.121Z", "description": "[Gooligan](https://attack.mitre.org/software/S0290) steals authentication tokens that can be used to access data from multiple Google applications.(Citation: Gooligan Citation)", "relationship_type": "uses", "source_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4f366c8c-9c70-44ed-baa8-d433d5dbfe49", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:13:18.720Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses call logs.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--027a36dc-cd9e-4282-b101-b9a0abbb312f", "type": "relationship", "created": "2020-09-11T14:54:16.640Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "url": "https://blog.lookout.com/desert-scorpion-google-play", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." } ], "modified": "2020-09-11T14:54:16.640Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can encrypt exfiltrated data.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--56a255a5-9fa2-45bb-8848-fd0a68514467", "created": "2022-04-11T20:06:56.034Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-11T20:06:56.034Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d", "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--42624ee9-1bf5-46aa-87d0-9fda0de9a06e", "created": "2020-06-26T15:32:24.921Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:50:47.973Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) avoids being analyzed by only activating the malware after recording a certain number of steps from the accelerometer.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--22773074-4a95-48e0-905f-688ce048b5ed", "created": "2020-04-24T17:46:31.593Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:53:51.524Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can prevent the user from interacting with the UI by showing a WebView with a persistent cursor.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--61550ef4-41f0-4354-af5c-f47db8aca654", "type": "relationship", "created": "2020-06-02T14:32:31.910Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Project Zero Insomnia", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020." } ], "modified": "2020-06-02T14:32:31.910Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device’s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--681161b2-4e30-4d49-8524-6cc0d94585cb", "created": "2023-03-16T13:33:26.925Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-16T13:33:26.925Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--bb11b7d1-e661-49af-9746-9fa4c56324bf", "created": "2023-03-20T18:59:14.759Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:59:14.759Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--295fab07-9f02-4504-9ae4-1a60c2e8c224", "type": "relationship", "created": "2019-09-03T20:08:00.670Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", "source_name": "Talos Gustuff Apr 2019" } ], "modified": "2019-10-10T15:19:47.960Z", "description": " [Gustuff](https://attack.mitre.org/software/S0406) can capture files and photos from the compromised device.(Citation: Talos Gustuff Apr 2019) ", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--52ad5145-3b04-4cc8-bed8-4a14501afe25", "type": "relationship", "created": "2020-09-11T15:55:43.774Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "source_name": "Lookout-StealthMango" } ], "modified": "2020-09-11T15:55:43.774Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) deletes incoming SMS messages from specified numbers, including those that contain particular strings.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--c438b973-c2f3-43fc-8312-2a5bbde4facb", "created": "2023-03-20T18:43:03.537Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:43:03.537Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--4220ec84-3c30-462b-9bad-4fb4de42cfd4", "created": "2022-04-06T15:28:20.249Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Users should be instructed to not grant applications unexpected or unnecessary permissions. ", "modified": "2022-04-06T15:28:20.249Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--59e225fa-b181-4906-9f0b-ef8f6ce7f2ef", "created": "2022-04-05T20:14:17.442Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-05T20:14:17.442Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--901492b5-b074-4631-ad6e-4178caa4164a", "type": "relationship", "created": "2020-12-24T22:04:28.017Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-24T22:04:28.017Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has recorded calls and environment audio in .amr format.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--fb3b32a8-6422-4d44-91e3-27a58e569963", "type": "relationship", "created": "2019-09-03T19:45:48.494Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." } ], "modified": "2019-09-11T13:25:19.179Z", "description": " [Exodus](https://attack.mitre.org/software/S0405) Two can take screenshots of any application in the foreground.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--9d621873-6d3c-4660-be9a-57e2e8648236", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Proofpoint-Marcher", "description": "Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018.", "url": "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:24:29.502Z", "description": "[Marcher](https://attack.mitre.org/software/S0317) requests Android Device Administrator access.(Citation: Proofpoint-Marcher)", "relationship_type": "uses", "source_ref": "malware--f9854ba6-989d-43bf-828b-7240b8a65291", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--b018fe06-740b-4864-b30a-f047598506b3", "type": "relationship", "created": "2020-04-24T15:06:33.510Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." } ], "modified": "2020-04-24T15:06:33.510Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect various pieces of device information, including OS version, phone model, and manufacturer.(Citation: TrendMicro Coronavirus Updates) ", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--8ea39534-6fe9-404c-94b7-0f320af95404", "created": "2022-04-01T15:17:21.511Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-01T15:17:21.511Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58", "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--0b5bfa77-51b4-41b4-ae03-88b585d143c1", "type": "relationship", "created": "2020-09-11T14:54:16.650Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "url": "https://blog.lookout.com/desert-scorpion-google-play", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." } ], "modified": "2020-09-11T14:54:16.650Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) has been distributed in multiple stages.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--8b3e74ad-7cc4-4ed2-84d2-c745e6997711", "created": "2023-02-06T20:12:17.434Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T18:04:59.445Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can request the `READ_CALL_LOG` permission.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--021ca5c4-7e8a-439b-8c2e-38f817db63e3", "created": "2023-02-06T18:50:12.251Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-14T14:40:57.100Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can check device system properties to potentially avoid running while under analysis.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--27b8153c-130e-44a7-84a9-840f4c23e2ea", "type": "relationship", "created": "2020-07-15T20:20:59.377Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." } ], "modified": "2020-07-15T20:20:59.377Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can collect all accounts stored on the device.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--ea2ad242-4365-4868-8beb-4a634f3ba6b7", "type": "relationship", "created": "2020-11-24T17:55:12.822Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020." } ], "modified": "2020-11-24T17:55:12.822Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can request the device’s location.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--789dd0f9-527c-49b3-93b7-851ce4961f0f", "type": "relationship", "created": "2019-09-03T19:45:48.492Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." } ], "modified": "2019-10-14T17:15:52.637Z", "description": " [Exodus](https://attack.mitre.org/software/S0405) One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--bd29ce15-1771-470c-a74b-5ea90832ce23", "created": "2020-12-24T22:04:27.911Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:31:11.269Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has collected SMS messages.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4f812a57-efdc-463b-bf37-baa4bca7502b", "created": "2020-05-04T14:22:20.348Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:35:00.081Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can uninstall itself from a device on command by abusing the accessibility service.(Citation: SecurityIntelligence TrickMo) ", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--ad723fb0-7439-407e-9bf5-1cb3fd7df8aa", "created": "2023-02-06T19:05:28.288Z", "revoked": false, "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-02-06T19:05:28.288Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can collect files from or inspect the device’s filesystem.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--395cb6b2-0848-43c7-ac4a-617e103fb66a", "created": "2020-11-20T16:37:28.591Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:02:09.253Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) has communicated with the C2 using MQTT and HTTP.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--13078a96-2cda-4d0b-99f8-693a65a4b63d", "created": "2020-12-18T20:14:47.297Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has generated non-human advertising impressions.(Citation: WhiteOps TERRACOTTA)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--56551987-326a-46ad-a34a-59bb7ab793a9", "created": "2020-12-14T14:52:03.266Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:24:07.828Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can request device administrator permissions.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ddb5ba6d-0549-44bd-a669-972bd48e927b", "created": "2020-07-15T20:20:59.307Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Bitdefender Mandrake", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Mandrake](https://attack.mitre.org/software/S0485) has used domain generation algorithms.(Citation: Bitdefender Mandrake)", "modified": "2022-04-12T10:01:44.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--5706742b-733d-44e9-a032-62b81ba05bcf", "created": "2020-06-02T14:32:31.897Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:26:52.491Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can retrieve SMS messages and iMessages.(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b81ba10a-73c2-4616-a8bc-eeb422e1c5ea", "created": "2018-10-17T00:14:20.652Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "HackerNews-Allwinner", "url": "https://thehackernews.com/2016/05/android-kernal-exploit.html", "description": "Mohit Kumar. (2016, May 11). Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker. Retrieved September 18, 2018." } ], "x_mitre_deprecated": false, "revoked": false, "description": "A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) reportedly contained an simple backdoor that could be used to obtain root access. It was believed to have been left in the kernel by mistake by the authors.(Citation: HackerNews-Allwinner)", "modified": "2022-04-15T15:16:35.892Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--08784a9d-09e9-4dce-a839-9612398214e8", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--dc6514a0-2e9c-4f29-8c15-99e6d382e357", "created": "2019-07-10T15:25:57.572Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:31:46.913Z", "description": "[FinFisher](https://attack.mitre.org/software/S0182) captures and exfiltrates SMS messages.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--79f04c05-8299-4e5e-b4c1-3f82637fa47a", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2018-10-17T00:14:20.652Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--bd99b570-5966-4337-8ab4-2d6f4afd0f7f", "type": "relationship", "created": "2019-09-04T15:38:56.799Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CyberMerchants-FlexiSpy", "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html", "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019." } ], "modified": "2019-09-10T14:59:26.138Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can record video.(Citation: CyberMerchants-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--b5590b50-0aaa-4f43-9b29-f17ee717b551", "type": "relationship", "created": "2021-02-08T16:36:20.698Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "BlackBerry Bahamut", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021." } ], "modified": "2021-05-24T13:16:56.412Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included location tracking capabilities in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b8606318-8c12-4381-ba33-5b2321772ea0", "created": "2022-03-30T20:31:57.183Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Users should be advised to be extra scrutinous of applications that request location or sensitive phone information permissions, and to deny any permissions requests for applications they do not recognize.", "modified": "2022-03-30T20:31:57.183Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--df036f55-f749-4dad-9473-d69535e0f98d", "created": "2020-06-26T14:55:13.385Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Cybereason EventBot", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[EventBot](https://attack.mitre.org/software/S0478) can abuse Android’s accessibility service to record the screen PIN.(Citation: Cybereason EventBot)", "modified": "2022-04-15T17:39:39.931Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--f5e9afdc-1aeb-472f-b267-46e7978f9d78", "created": "2023-03-20T18:54:09.674Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:54:09.674Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--8ec03f4c-5ed8-4c25-956c-3ee6c777a5cc", "type": "relationship", "created": "2019-09-23T13:36:08.441Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", "source_name": "securelist rotexy 2018" } ], "modified": "2019-09-23T13:36:08.441Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) retrieves a list of installed applications and sends it to the command and control server.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--8f88d438-3150-4317-b1fe-b14f13c15ac5", "type": "relationship", "created": "2019-09-03T19:45:48.501Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." } ], "modified": "2019-10-14T16:47:53.197Z", "description": " [Exodus](https://attack.mitre.org/software/S0405) Two can record audio from the compromised device's microphone and can record call audio in 3GP format.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--1bcd4b25-a1e0-4511-b0bf-3923a1e74c4e", "created": "2020-12-31T18:25:05.165Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "CYBERWARCON CHEMISTGAMES", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has used HTTPS for C2 communication.(Citation: CYBERWARCON CHEMISTGAMES) ", "modified": "2022-04-18T16:00:57.320Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--b2896068-4d54-41e1-b0f2-db9385615112", "type": "relationship", "created": "2021-01-05T20:16:20.426Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." } ], "modified": "2021-01-05T20:16:20.426Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) has shown a persistent notification to maintain access to device sensors.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--3857f790-6ea1-4f37-8d90-90904f175d63", "created": "2023-01-18T21:37:55.717Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T18:48:17.771Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) has C2 commands that can uninstall the app from the infected device.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--53364899-1ea5-47fa-afde-c210aed64120", "type": "relationship", "created": "2019-07-10T15:47:19.659Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "source_name": "Lookout Dark Caracal Jan 2018" } ], "modified": "2019-07-16T15:35:21.086Z", "description": "(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", "target_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--049a5149-00c9-492a-8ffb-463f3d0cd910", "created": "2022-03-30T20:13:28.442Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "Android 10 Limitations to Hiding App Icons", "url": "https://source.android.com/setup/start/android-10-release#limitations_to_hiding_app_icons", "description": "Android. (n.d.). Android 10 Release Notes: Limitations to hiding app icons. Retrieved March 30, 2022." }, { "source_name": "LauncherApps getActivityList", "url": "https://developer.android.com/reference/kotlin/android/content/pm/LauncherApps#getactivitylist", "description": "Android. (n.d.). LauncherApps: getActivityList. Retrieved March 30, 2022." } ], "x_mitre_deprecated": false, "revoked": false, "description": "Android 10 introduced changes to prevent malicious applications from fully suppressing their icon in the launcher.(Citation: Android 10 Limitations to Hiding App Icons)(Citation: LauncherApps getActivityList)", "modified": "2022-05-20T17:16:08.998Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--cea30219-a255-43ae-b731-9512c5044523", "created": "2022-04-18T19:46:02.547Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-18T19:46:02.547Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f709a4a5-2d7f-4fa8-bad8-a536fd3cc7fc", "created": "2022-04-01T13:18:40.460Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Contact list access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their contact list. ", "modified": "2022-04-01T13:18:40.460Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--51b0a4fb-a308-4694-9437-95702a50ebd5", "type": "relationship", "created": "2020-09-11T16:22:03.231Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout ViperRAT", "url": "https://blog.lookout.com/viperrat-mobile-apt", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020." } ], "modified": "2020-09-11T16:22:03.231Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can take photos with the device camera.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--60e2ebd0-90dc-4131-ba4f-adc9b49ec113", "created": "2020-06-26T15:32:25.032Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Threat Fabric Cerberus", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Cerberus](https://attack.mitre.org/software/S0480) can generate fake notifications and launch overlay attacks against attacker-specified applications.(Citation: Threat Fabric Cerberus)", "modified": "2022-04-12T10:01:44.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--2a1d27a5-8149-4a6c-bbb7-6db83ce3a7ce", "type": "relationship", "created": "2020-12-18T20:14:47.339Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." } ], "modified": "2020-12-18T20:14:47.339Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has used timer events in React Native to initiate the foreground service.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--12098dee-27b3-4d0b-a15a-6b5955ba8879", "type": "relationship", "created": "2019-09-04T14:28:16.426Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", "source_name": "Lookout-Monokle" } ], "modified": "2019-09-04T14:32:13.000Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) uses XOR to obfuscate its second stage binary.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--17e94f34-e367-491c-9f9f-79294e124b4f", "created": "2020-12-17T20:15:22.501Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:22:48.246Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can intercept SMS messages.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--f5fab17b-43e7-46ff-bdea-eb8c52a0c6c3", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "modified": "2019-08-09T17:52:31.854Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses the list of installed applications.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--de69fd86-aaef-4a1e-99e9-ee32c71997d6", "created": "2022-04-05T19:54:12.660Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-05T19:54:12.660Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5", "target_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--1cc71849-142f-4097-9546-7946b0b546a6", "created": "2020-04-08T15:51:25.125Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:29:22.884Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) can determine if it is running in an emulator.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--35a12ae8-562d-4e24-979e-ef970dde0b94", "created": "2022-04-15T17:52:24.125Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-15T17:52:24.125Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--d8d773ab-b0e3-484b-bdb8-c1a1ab48d218", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "source_name": "PaloAlto-SpyDealer" } ], "modified": "2019-08-09T17:56:05.686Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) uses the commercial rooting app Baidu Easy Root to gain root privilege and maintain persistence on the victim.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--c41d817e-913e-4574-b8d4-370de9f0034b", "created": "2019-11-18T14:47:25.327Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Google Triada June 2019", "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.", "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html" }, { "source_name": "Kaspersky Triada March 2016", "description": "Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.", "url": "https://www.kaspersky.com/blog/triada-trojan/11481/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:19:16.331Z", "description": "[Triada](https://attack.mitre.org/software/S0424) injects code into the Zygote process to effectively include itself in all forked processes. Additionally, code is injected into the Android Play Store App, web browser applications, and the system UI application.(Citation: Google Triada June 2019)(Citation: Kaspersky Triada March 2016)", "relationship_type": "uses", "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--12d61e7d-7fa6-422d-9817-901decf6b650", "created": "2019-07-10T15:35:43.663Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Pallas](https://attack.mitre.org/software/S0399) uses phishing popups to harvest user credentials.(Citation: Lookout Dark Caracal Jan 2018)", "modified": "2022-04-12T10:01:44.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--6a4fd7bd-b73b-403b-aff9-8be6bc0afc7b", "type": "relationship", "created": "2020-09-14T14:13:45.259Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout eSurv", "url": "https://blog.lookout.com/esurv-research", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020." } ], "modified": "2020-09-14T14:13:45.259Z", "description": "[eSurv](https://attack.mitre.org/software/S0507) can exfiltrate device pictures.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--f56b8307-80e3-4d73-869f-1e8b9538dbc4", "created": "2022-09-29T21:22:06.716Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Cylance Dust Storm", "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2022-09-30T18:45:10.156Z", "description": "During [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors used Android backdoors to continually forward all SMS messages and call information back to their C2 servers.(Citation: Cylance Dust Storm)", "relationship_type": "uses", "source_ref": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--59c2bfb5-a55b-43d3-b1e9-3fbaff0fb7fc", "created": "2023-03-20T18:14:50.401Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:47:25.861Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--da424f3f-8a93-4a66-858c-b33f587108e6", "type": "relationship", "created": "2020-10-29T17:48:27.225Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Exobot", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020." } ], "modified": "2020-10-29T17:48:27.225Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can obtain the device’s country and carrier name.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--5c7508ae-5d05-49fd-a489-b944d3b45dd0", "type": "relationship", "created": "2020-12-24T22:04:27.997Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-24T22:04:27.997Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has tracked location.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--2d3198ff-a481-47ec-ae64-13d7be706929", "created": "2023-02-28T21:41:47.503Z", "revoked": false, "external_references": [ { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-02-28T21:41:47.503Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can record video from the device camera.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--2fcc6291-9a68-45c2-a5c5-94b1973ed3d2", "created": "2022-04-01T13:27:29.919Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-01T13:27:29.920Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--312950f2-80d2-4941-bfce-b97b2cb7a1ff", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "source_name": "Lookout Dark Caracal Jan 2018" } ], "modified": "2019-07-16T15:35:21.063Z", "description": "(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", "target_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--f4d5e619-7c83-4845-aecd-de62c33cc0a1", "created": "2019-07-10T15:35:43.661Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:32:57.154Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) captures and exfiltrates all SMS messages, including future messages as they are received.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--8f2929a9-cd25-4e07-b402-447da68aaa56", "created": "2020-04-24T15:06:33.455Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:10:43.246Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) communicates with the C2 server using HTTP requests.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--e4f90a20-f1c6-4820-8c3e-751c79cc82e8", "created": "2023-03-20T18:56:24.246Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:56:24.246Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--8634a732-1c5e-4931-a24f-cdcc2f81c788", "created": "2020-05-07T15:33:32.903Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:20:05.166Z", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) deletes infected applications’ update packages when they are detected on the system, preventing updates.(Citation: CheckPoint Agent Smith)", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--9858ae0b-140b-4dd2-8ba9-1ef22183dec3", "created": "2021-02-08T16:36:20.788Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "BlackBerry Bahamut", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included keylogging capabilities as part of Operation ROCK.(Citation: BlackBerry Bahamut)", "modified": "2022-04-15T17:35:26.197Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--70ec9e67-b755-41ee-a1db-71d250a90b4e", "type": "relationship", "created": "2020-01-14T17:47:08.826Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList DVMap June 2017", "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/", "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019." } ], "modified": "2020-01-14T17:47:08.826Z", "description": "[Dvmap](https://attack.mitre.org/software/S0420) checks the Android version to determine which system library to patch.(Citation: SecureList DVMap June 2017)", "relationship_type": "uses", "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--def81edd-4410-47b2-a80f-d47b3f353f54", "created": "2023-03-16T18:27:42.656Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-16T18:27:42.656Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--cc49561f-8364-4908-9111-ad3a6dcd922c", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2018-10-17T00:14:20.652Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a501b700-250f-4e9a-a20f-656ae9bf90f9", "type": "relationship", "created": "2020-12-24T21:55:56.753Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-24T21:55:56.753Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has used exploit tools to gain root, such as TowelRoot.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--afba6b19-7486-4e5a-8fda-e91852b0b354", "type": "relationship", "created": "2021-09-20T13:42:21.104Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2021-09-27T18:05:43.107Z", "description": "Users should be encouraged to be very careful with what applications they grant phone call-based permissions to. Further, users should not change their default call handler to applications they do not recognize.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a8c21a71-f3e9-43e9-9212-faf9181e70ce", "created": "2022-04-01T18:42:50.381Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Providing user guidance around commonly abused features, such as the modal that requests for administrator permissions, should aid in preventing impairing defenses.", "modified": "2022-04-01T18:42:50.381Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--a2323d47-348c-4e3c-9c25-7feb20e2e457", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T19:53:03.638Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads contact lists for various third-party applications such as Yahoo, AIM, GoogleTalk, Skype, QQ, and others.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3c0b0763-78d2-4d6e-8e57-b4f27af7e414", "created": "2019-10-18T14:50:57.521Z", "x_mitre_version": "1.0", "x_mitre_deprecated": false, "revoked": false, "description": "Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files. ", "modified": "2022-03-30T20:08:17.127Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--bb3be217-08e2-4bb0-9f1a-d8e538010451", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "FireEye-RuMMS", "description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[RuMMS](https://attack.mitre.org/software/S0313) gathers device model and operating system version information and transmits it to a command and control server.(Citation: FireEye-RuMMS)", "relationship_type": "uses", "source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--ffddcabb-0f03-46ae-abd6-7ab94e91b055", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://www.wandera.com/reddrop-malware/", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.", "source_name": "Wandera-RedDrop" } ], "modified": "2019-09-10T13:14:39.009Z", "description": "[RedDrop](https://attack.mitre.org/software/S0326) captures live recordings of the device's surroundings.(Citation: Wandera-RedDrop)", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--5c1e3aa9-160d-49fd-83a2-2ed2f8c5435c", "type": "relationship", "created": "2021-02-17T20:43:52.324Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout FrozenCell", "url": "https://blog.lookout.com/frozencell-mobile-threat", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020." } ], "modified": "2021-02-17T20:43:52.324Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has collected phone metadata such as cell location, mobile country code (MCC), and mobile network code (MNC).(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--0100020b-97d4-4657-bc71-c6a1774055a6", "created": "2022-04-20T17:36:25.707Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:39:23.114Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has exfiltrated data via both SMTP and HTTP.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--b19082d2-c151-45dd-8844-82335fbe3ed9", "created": "2023-02-28T21:43:54.880Z", "revoked": false, "external_references": [ { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-02-28T21:43:54.880Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can send text messages.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--789699c2-44f1-4280-bf86-ab23e6a13e84", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:18:51.813Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads calendar events and reminders.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--1d828f51-1c04-466c-beaf-2d4de741a544", "created": "2020-05-04T14:04:56.184Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Google Bread", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:03:18.675Z", "description": "[Bread](https://attack.mitre.org/software/S0432) can access SMS messages in order to complete carrier billing fraud.(Citation: Google Bread)", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--806a9338-be20-4eef-aa54-067633ac0e58", "type": "relationship", "created": "2020-04-08T15:41:19.421Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cofense Anubis", "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." } ], "modified": "2020-04-08T15:41:19.421Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can retrieve the device’s GPS location.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--9cfc30de-3e68-4361-a213-3c37ce27b70e", "created": "2023-03-20T18:52:52.011Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:52:52.011Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4cc8a16f-562a-42c7-b5d9-10e1088af89c", "created": "2019-09-03T20:08:00.687Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:31:38.319Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) can intercept two-factor authentication codes transmitted via SMS.(Citation: Talos Gustuff Apr 2019) ", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--f62e0aaf-e52f-40b9-a059-001f298a0660", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Kaspersky-Skygofree", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:19:00.168Z", "description": "[Skygofree](https://attack.mitre.org/software/S0327) can be controlled via HTTP, XMPP, FirebaseCloudMessaging, or GoogleCloudMessaging in older versions.(Citation: Kaspersky-Skygofree)", "relationship_type": "uses", "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--60782df8-1e96-48eb-a6b7-843c94b32b59", "created": "2023-02-06T19:43:17.802Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-29T21:33:52.290Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can hide its application icon.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4009ff40-4616-4b1c-bff9-599e52ccab37", "created": "2020-01-27T17:05:58.263Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:28:34.373Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain the device’s contact list.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--386b0a9f-9951-4717-8bce-30c8fbe05050", "type": "relationship", "created": "2020-06-26T15:32:24.955Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Cerberus", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020." } ], "modified": "2020-06-26T15:32:24.955Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) uses standard payload and string obfuscation techniques.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--27050442-e578-44b7-9534-ada78824befe", "created": "2023-02-06T19:45:09.612Z", "revoked": false, "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-02-06T19:45:09.612Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can intercept and read SMS messages.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--68c17e9b-1fda-49dd-982b-566d473cc32b", "created": "2022-04-06T15:51:11.939Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-06T15:51:11.939Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--48c0d9f7-9293-4f38-8ae5-9f5342621f74", "type": "relationship", "created": "2021-01-05T20:16:20.511Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." } ], "modified": "2021-01-05T20:16:20.511Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) has contained an alarm that triggers every three minutes and timers for communicating with the C2.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--bed52256-e5d2-4f15-8c4c-27f709e10c6c", "type": "relationship", "created": "2020-06-26T14:55:13.380Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason EventBot", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020." } ], "modified": "2020-06-26T14:55:13.380Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) dynamically loads its malicious functionality at runtime from an RC4-encrypted TTF file. [EventBot](https://attack.mitre.org/software/S0478) also utilizes ProGuard to obfuscate the generated APK file.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--33316f49-f1fb-453a-9ba7-d6889982a010", "type": "relationship", "created": "2020-07-20T13:27:33.459Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." } ], "modified": "2020-08-10T21:57:54.516Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can obtain a list of installed applications.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a7336f2c-8f89-4d54-ac2b-77743afb2943", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "source_name": "Lookout-StealthMango" } ], "modified": "2019-10-15T19:44:36.177Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) collects and uploads information about changes in SIM card or phone numbers on the device.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--383e5b12-061e-45c6-911b-b37187dd9254", "type": "relationship", "created": "2021-02-08T16:36:20.701Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "BlackBerry Bahamut", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021." } ], "modified": "2021-05-24T13:16:56.399Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included file enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--1e29a9ce-ed11-44ae-b66e-8b90ee79de6a", "created": "2020-06-26T15:32:24.962Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:42:04.769Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) hides its icon from the application drawer after being launched for the first time.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4c7e776d-ed19-4e5a-842c-81612f5c07bd", "created": "2019-09-03T19:45:48.503Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.", "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:10:38.937Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can download the address book.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--15065492-1aef-4cf8-af3c-cc763eee5daf", "created": "2020-09-24T15:34:51.213Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:49:32.064Z", "description": "[Dendroid](https://attack.mitre.org/software/S0301) can detect if it is being ran on an emulator.(Citation: Lookout-Dendroid)", "relationship_type": "uses", "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--2341fdfa-9699-4798-a35a-2cc4f150cd14", "type": "relationship", "created": "2019-07-10T15:35:43.610Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "source_name": "Lookout Dark Caracal Jan 2018" } ], "modified": "2019-08-09T18:06:11.693Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) retrieves a list of all applications installed on the device.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--3f31b209-dbc7-4c7e-bb0a-e37801121c13", "created": "2020-10-29T17:48:27.425Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:45:26.765Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) has registered to receive the `BOOT_COMPLETED` broadcast intent.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--f0a0005e-cc38-4f7a-ba49-21a4c48ae1a1", "type": "relationship", "created": "2020-07-15T20:20:59.284Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." } ], "modified": "2020-07-15T20:20:59.284Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can install attacker-specified components or applications.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--a54c8c09-c849-4146-a7cc-158887222a6d", "created": "2020-12-24T21:45:56.969Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:15:05.454Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) can access SMS messages.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--5b5586b9-75ee-476f-b3eb-49878254302c", "type": "relationship", "created": "2019-07-16T14:33:12.117Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Triada June 2019", "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html", "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019." } ], "modified": "2020-04-27T16:52:49.643Z", "description": "[Triada](https://attack.mitre.org/software/S0424) is able to modify code within the com.android.systemui application to gain access to `GET_REAL_TASKS` permissions. This permission enables access to information about applications currently on the foreground and other recently used apps.(Citation: Google Triada June 2019) ", "relationship_type": "uses", "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--119b848b-84b4-4f86-a265-0c9eb8680072", "created": "2021-10-01T14:42:49.171Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "SecureList BusyGasper", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can be controlled via IRC using freenode.net servers.(Citation: SecureList BusyGasper)", "modified": "2022-04-18T19:01:58.546Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--f88cbb0c-ca34-4a87-82fa-e0e567ee8d57", "type": "relationship", "created": "2020-04-08T15:51:25.120Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric Ginp", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020." } ], "modified": "2020-04-08T15:51:25.120Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) obfuscates its payload, code, and strings.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--9cfcda7d-bb82-4122-a38b-fec4f5532856", "created": "2020-05-04T14:04:56.211Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Google Bread", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:03:51.504Z", "description": "[Bread](https://attack.mitre.org/software/S0432) communicates with the C2 server using HTTP requests.(Citation: Google Bread)", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d300eb82-5ca0-48aa-a45f-d34242545e27", "created": "2022-03-30T15:08:28.814Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Device attestation could detect unauthorized operating system modifications. ", "modified": "2022-03-30T15:08:28.814Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--97417113-1840-4e00-98d3-bb222e1a1f60", "type": "relationship", "created": "2020-07-27T14:14:56.980Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Security Zen", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020." } ], "modified": "2020-08-10T22:18:20.815Z", "description": "[Zen](https://attack.mitre.org/software/S0494) base64 encodes one of the strings it searches for.(Citation: Google Security Zen)", "relationship_type": "uses", "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--3364dd33-c012-4aaf-852b-86e63bd724ac", "created": "2023-02-06T19:38:22.312Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "cleafy_sova_1122", "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly" }, { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-11T22:06:53.022Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can gather session cookies from infected devices. [S.O.V.A.](https://attack.mitre.org/software/S1062) can also abuse Accessibility Services to steal Google Authenticator tokens.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--7d481598-ece7-469c-b231-619a804c25e5", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:34:25.318Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) captures SMS messages that the victim sends or receives.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--efd35b6f-7a61-4998-97ff-608547e40f66", "created": "2019-10-01T14:23:44.054Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "securelist rotexy 2018", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": " [Rotexy](https://attack.mitre.org/software/S0411) encrypts JSON HTTP payloads with AES.(Citation: securelist rotexy 2018) ", "modified": "2022-04-18T16:07:57.631Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--51bf6ffc-85c7-4910-8821-9736a1ec60f1", "created": "2019-09-04T15:38:57.037Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "FlexiSpy-Features", "url": "https://www.flexispy.com/en/features-overview.htm", "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can record keystrokes and analyze them for keywords.(Citation: FlexiSpy-Features)", "modified": "2022-04-15T17:34:17.813Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--1f44936e-b84c-404f-a92e-6fb7e24b5435", "created": "2022-04-05T19:51:08.770Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "Android 12 Features", "url": "https://developer.android.com/about/versions/12/features", "description": "Google. (2022, April 4). Features and APIs Overview. Retrieved April 5, 2022." } ], "x_mitre_deprecated": false, "revoked": false, "description": "The `HIDE_OVERLAY_WINDOWS` permission was introduced in Android 12 allowing apps to hide overlay windows of type `TYPE_APPLICATION_OVERLAY` drawn by other apps with the `SYSTEM_ALERT_WINDOW` permission, preventing other applications from creating overlay windows on top of the current application.(Citation: Android 12 Features)", "modified": "2022-04-05T19:51:08.770Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--a503ca06-7f98-4ab4-a8fc-ff55c3da7f0a", "created": "2020-10-29T19:21:23.143Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "WeLiveSecurity AdDisplayAshas", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:48:18.023Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has registered to receive the `BOOT_COMPLETED` broadcast intent to activate on device startup.(Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--212801c2-5d14-4381-b25a-340cda11a5ac", "created": "2020-12-18T20:14:47.310Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has displayed a form to collect user data after installation.(Citation: WhiteOps TERRACOTTA)", "modified": "2022-04-12T10:01:44.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--68e5789c-9f60-421e-9c79-fae207a29e83", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Kaspersky-WUC", "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:27:20.839Z", "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole SMS message content.(Citation: Kaspersky-WUC)", "relationship_type": "uses", "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--34f9aed0-48a7-4815-8456-5541a7b8210f", "created": "2019-09-04T14:28:16.487Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Lookout-Monokle", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Monokle](https://attack.mitre.org/software/S0407) can record the user's keystrokes.(Citation: Lookout-Monokle)", "modified": "2022-04-15T17:34:52.414Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--24951cfe-d3ce-4802-86ff-028fc9cbbe53", "type": "relationship", "created": "2020-07-15T20:20:59.318Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." } ], "modified": "2020-07-15T20:20:59.318Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) uses foreground persistence to keep a service running. It shows the user a transparent notification to evade detection.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--5aa167b8-4166-440b-b49f-bf1bab597237", "created": "2019-11-21T16:42:48.441Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:39:13.309Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can collect the device’s call log.(Citation: SecureList - ViceLeaker 2019)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--78fc4506-5c80-4638-8f51-44a2e28f7aaf", "type": "relationship", "created": "2020-09-11T15:43:49.309Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Cerberus", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020." } ], "modified": "2020-09-11T15:43:49.309Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can send SMS messages from a device.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4449ac76-8329-4483-b152-99b990006cbc", "created": "2019-09-04T15:38:56.937Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "FlexiSpy-Features", "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.", "url": "https://www.flexispy.com/en/features-overview.htm" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T19:58:10.115Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can collect a list of known Wi-Fi access points.(Citation: FlexiSpy-Features) ", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--9634001c-575b-47aa-acd2-c3b1e900bd0b", "type": "relationship", "created": "2020-12-17T20:15:22.397Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." } ], "modified": "2020-12-17T20:15:22.397Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can steal data from various sources, including chat, communication, and social media apps.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--0fd34764-8a5d-43da-9bdf-5a0b7e436936", "created": "2019-08-29T18:57:55.926Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Samsung Keyboards", "url": "https://support.samsungknox.com/hc/en-us/articles/360001485027-3rd-party-keyboards-must-be-whitelisted-", "description": "Samsung. (2019, August 16). 3rd party keyboards must be whitelisted.. Retrieved September 1, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.(Citation: Samsung Keyboards) An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features. ", "modified": "2022-04-05T19:41:57.905Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a9e97a14-ea3c-47b1-a865-0a1edea9c81c", "type": "relationship", "created": "2021-02-17T20:43:52.410Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout FrozenCell", "url": "https://blog.lookout.com/frozencell-mobile-threat", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020." } ], "modified": "2021-02-17T20:43:52.410Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has searched for pdf, doc, docx, ppt, pptx, xls, and xlsx file types for exfiltration.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--baa82c0a-b51c-4d4a-ae1d-6d6fd637f78d", "type": "relationship", "created": "2020-07-15T20:20:59.294Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." } ], "modified": "2020-07-15T20:20:59.294Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can obtain a list of installed applications.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--9d72c60b-d5d1-4b50-a01f-3882ddb335d9", "created": "2019-09-04T14:28:15.316Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:26:48.912Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can remount the system partition as read/write to install attacker-specified certificates.(Citation: Lookout-Monokle) ", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--79ef0025-3e1c-4914-9873-19808c2a5bec", "created": "2023-02-28T21:44:22.373Z", "revoked": false, "external_references": [ { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-02-28T21:44:22.373Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can record the screen and stream the data off the device.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--6935752c-e400-4dfa-863f-1d44a8f6dd50", "type": "relationship", "created": "2021-09-20T13:50:02.036Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cofense Anubis", "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." } ], "modified": "2021-09-20T13:50:02.036Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can make phone calls.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--41da5845-a1a8-4d10-8929-053be3496396", "created": "2022-04-20T17:46:43.542Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" }, { "source_name": "Bitdefender - Triout 2018", "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.", "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:39:57.165Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) uses HTTP data exfiltration.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--81fb62ac-ba04-48d2-8817-52d0652f61a0", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint-Judy", "description": "CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018.", "url": "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[Judy](https://attack.mitre.org/software/S0325) bypasses Google Play's protections by downloading a malicious payload at runtime after installation.(Citation: CheckPoint-Judy)", "relationship_type": "uses", "source_ref": "malware--172444ab-97fc-4d94-b142-179452bfb760", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--8c8ce536-d9b5-4dfc-93f1-84c4f222b49e", "type": "relationship", "created": "2021-01-05T20:16:20.512Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." } ], "modified": "2021-01-05T20:16:20.512Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can check the device’s battery status.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5151b976-cfcf-4771-a75a-995d49bcc1ab", "created": "2022-04-11T20:06:38.811Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Mobile security products that are part of the Samsung Knox for Mobile Threat Defense program could examine running applications while the device is idle, potentially detecting malicious applications that are running primarily when the device is not being used.", "modified": "2022-04-11T20:06:38.811Z", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--bc79a212-139f-4dce-be72-e90585f38f03", "created": "2023-03-16T18:31:37.091Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-16T18:31:37.091Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a290a8ca-e650-456c-b33e-03343fe5ea4e", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) accesses sensitive data in files, such as saving Skype calls by reading them out of the Skype database files.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--8fd05d96-552d-4ef9-98e3-ea70dc84f6a9", "created": "2022-03-30T14:26:02.359Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "Android Changes to System Broadcasts", "url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts", "description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "Android 8 introduced additional limitations on the implicit intents that an application can register for.(Citation: Android Changes to System Broadcasts) ", "modified": "2022-03-30T14:26:02.359Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a285f343-09c3-49af-9c18-1dccf89e9009", "type": "relationship", "created": "2020-11-20T16:37:28.391Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec GoldenCup", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020." } ], "modified": "2020-11-20T16:37:28.391Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect a directory listing of external storage.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--4b8d027d-5da2-4a01-ad31-b6644a5cda61", "type": "relationship", "created": "2020-04-24T15:06:33.495Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." } ], "modified": "2020-04-24T15:06:33.495Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can track the device’s location.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--b5f3b110-fc66-4369-89f3-621c945d655f", "type": "relationship", "created": "2020-04-27T16:52:49.444Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Triada June 2019", "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html", "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019." } ], "modified": "2020-04-27T16:52:49.444Z", "description": "[Triada](https://attack.mitre.org/software/S0424) encrypts data prior to exfiltration.(Citation: Google Triada June 2019) ", "relationship_type": "uses", "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--7d6bba99-ea81-42bc-b02a-e5e98b34a688", "created": "2020-05-07T15:33:32.910Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:19:44.427Z", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) can hide its icon from the application launcher.(Citation: CheckPoint Agent Smith)", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--8f2ff9c5-249d-4a9a-bdc6-0cef887eaefc", "type": "relationship", "created": "2020-07-15T20:20:59.298Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." } ], "modified": "2020-07-15T20:20:59.298Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) obfuscates its hardcoded C2 URLs.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--75400f2e-8a9a-4bc6-a40b-f860b38868b6", "created": "2023-03-16T13:31:29.822Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-16T13:31:29.822Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ab67b233-2c3d-4ac2-a3f0-13b6484ea920", "created": "2022-04-05T19:46:22.326Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.", "modified": "2022-04-05T19:46:22.326Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--6f63395f-a826-45e2-8d3b-dccd6375f54d", "created": "2019-07-10T15:25:57.585Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:39:29.860Z", "description": "[FinFisher](https://attack.mitre.org/software/S0182) accesses and exfiltrates the call log.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--96ec33c8-78b6-421f-bab3-bd9d0564db31", "created": "2022-09-29T20:11:55.474Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Cylance Dust Storm", "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2022-09-30T18:39:16.003Z", "description": "During [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors used Android backdoors capable of enumerating specific files on the infected devices.(Citation: Cylance Dust Storm)", "relationship_type": "uses", "source_ref": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--300c824d-5586-411b-b274-8941a99a98fb", "created": "2022-03-30T14:06:01.859Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Device attestation can often detect jailbroken or rooted devices.", "modified": "2022-03-30T14:06:01.859Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--09c6bbd4-9058-4657-9d8e-656439637ac6", "created": "2023-03-16T18:32:47.895Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-16T18:32:47.895Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--35c67a18-7e8d-4bd5-9fe1-35b1ac3f401f", "created": "2018-10-17T00:14:20.652Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Wandera-RedDrop", "url": "https://www.wandera.com/reddrop-malware/", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[RedDrop](https://attack.mitre.org/software/S0326) tricks the user into sending SMS messages to premium services and then deletes those messages.(Citation: Wandera-RedDrop)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--c89d6493-3f33-4568-ac77-ba13b206ae69", "created": "2023-03-20T18:52:24.667Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:52:24.667Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--492d5699-f885-411a-8431-254fcf33fb12", "created": "2019-08-09T16:14:58.367Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Android Capture Sensor 2019", "url": "https://developer.android.com/about/versions/pie/android-9.0-changes-all#bg-sensor-access", "description": "Android Developers. (, January). Android 9+ Privacy Changes . Retrieved August 27, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "Android 9 and above restricts access to the mic, camera, and other device sensors from applications running in the background. iOS 14 and Android 12 introduced a visual indicator on the status bar (green dot) when an application is accessing the device’s camera.(Citation: Android Capture Sensor 2019)", "modified": "2022-04-01T13:56:12.774Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--7b611c76-0ea1-49c5-9b9a-2e504a0bbe14", "created": "2020-06-26T15:32:25.043Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:53:04.417Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) disables Google Play Protect to prevent its discovery and deletion in the future.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--b24553a7-01c7-49b2-b1e0-fb961e788de2", "type": "relationship", "created": "2020-06-26T15:32:25.062Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Cerberus", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020." } ], "modified": "2020-06-26T15:32:25.062Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can obtain a list of installed applications.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--be256f8a-8bae-4a00-8682-22797ba7e0ce", "type": "relationship", "created": "2019-09-04T14:28:15.975Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", "source_name": "Lookout-Monokle" } ], "modified": "2019-10-14T17:51:38.054Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) queries the device for metadata such as make, model, and power levels.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--f6f21954-c592-40d8-b7a0-75f332c42eaa", "created": "2020-11-10T17:08:35.761Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:00:38.611Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has deleted call log entries coming from known C2 sources.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--44b63426-1ea7-456e-907b-0856e3eab0c3", "type": "relationship", "created": "2020-12-31T18:25:05.142Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CYBERWARCON CHEMISTGAMES", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020." } ], "modified": "2020-12-31T18:25:05.142Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has collected the device’s location.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--1f8b1ee1-e44b-4a37-a407-5cbceba35d87", "type": "relationship", "created": "2020-05-04T14:04:56.217Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Bread", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020." } ], "modified": "2020-05-04T15:40:21.305Z", "description": "[Bread](https://attack.mitre.org/software/S0432) has utilized JavaScript within WebViews that loaded a URL hosted on a Bread-controlled server which provided functions to run. [Bread](https://attack.mitre.org/software/S0432) downloads billing fraud execution steps at runtime.(Citation: Google Bread)", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--b9b9ce86-89f6-41ea-8ba1-9520985acb49", "type": "relationship", "created": "2020-12-24T22:04:28.004Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-24T22:04:28.004Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has checked for system root.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--f4aeacef-035c-4308-9e85-997703e27809", "created": "2020-01-27T17:05:58.305Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:27:33.906Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can delete arbitrary files on the device.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--c943d462-fea7-4c01-88b2-de134153095b", "created": "2023-03-20T18:56:37.473Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:56:37.473Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--3c43d125-6719-420e-bb69-878cc91c2474", "created": "2020-09-15T15:18:12.428Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:45:11.727Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can register for the `BOOT_COMPLETED` broadcast Intent.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--e4beccfa-a9a5-447d-8164-d39a1b2c5532", "created": "2023-02-06T19:46:43.041Z", "revoked": false, "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-02-06T19:46:43.041Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) has included adversary-in-the-middle capabilities.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--07dd3318-2965-4085-be64-a8e956c7b8da", "type": "relationship", "created": "2020-12-18T20:14:47.319Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." } ], "modified": "2020-12-18T20:14:47.319Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has stored encoded strings.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--4b68bcb1-a512-40f7-9aee-235b3668f022", "type": "relationship", "created": "2020-01-27T17:05:58.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", "source_name": "Trend Micro Bouncing Golf 2019" } ], "modified": "2020-01-27T17:05:58.271Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain clipboard contents.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--42342d72-a37c-477e-b8f1-1768273fcb7f", "created": "2019-10-18T15:51:48.451Z", "x_mitre_version": "1.0", "x_mitre_deprecated": false, "revoked": false, "description": "Users should be advised not to grant consent for screen captures to occur unless expected. Users should avoid enabling USB debugging (Android Debug Bridge) unless explicitly required. ", "modified": "2022-04-01T13:32:32.335Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--c778593c-1583-48cc-a99d-0ac1b5b537e2", "created": "2023-03-20T18:48:39.857Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:48:39.857Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--ed7e9368-004c-484f-9eed-03b158325564", "created": "2023-03-20T18:54:40.401Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:54:40.401Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--74c8c9e7-cd8b-4f3a-830d-a7e6e9668330", "created": "2022-04-01T15:01:53.321Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Mobile security products can take appropriate action when jailbroken devices are detected, potentially limiting the adversary’s access to password stores.", "modified": "2022-04-01T15:01:53.321Z", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--657f1d8c-3982-4ee5-95dc-c8ec3164cb2e", "type": "relationship", "created": "2020-07-15T20:20:59.382Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." } ], "modified": "2020-07-15T20:20:59.382Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) has communicated with the C2 server over TCP port 7777.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b402664b-a5b4-45e4-832f-02638e6c67a7", "created": "2022-04-01T14:59:17.991Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Mobile security products can take appropriate action when jailbroken devices are detected, potentially limiting the adversary’s access to password stores. ", "modified": "2022-04-01T14:59:17.991Z", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--ee9c1a8c-5f84-4571-8518-300a6412df0f", "type": "relationship", "created": "2019-09-23T13:36:08.448Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", "source_name": "securelist rotexy 2018" } ], "modified": "2019-10-15T19:56:50.651Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) collects information about the compromised device, including phone number, network operator, OS version, device model, and the device registration country.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--85e0d8c5-b9d6-4a10-963a-aeb54eba4f02", "created": "2020-06-26T15:32:25.144Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "CheckPoint Cerberus", "description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020.", "url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:10:26.480Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) communicates with the C2 server using HTTP.(Citation: CheckPoint Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--1f32e107-aef9-42f8-84d1-4c4fcd863b7f", "created": "2023-02-28T20:39:57.194Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-31T22:07:21.417Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can use Domain Generation Algorithms to connect to the C2 server.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--29357289-362c-447c-b387-9a38b50d7296", "created": "2022-04-15T17:20:06.338Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "Google Bread", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020." }, { "source_name": "Check Point-Joker", "url": "https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/", "description": "Hazum, A., Melnykov, B., Wernik, I.. (2020, July 9). New Joker variant hits Google Play with an old trick. Retrieved July 20, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Bread](https://attack.mitre.org/software/S0432) uses various tricks to obfuscate its strings including standard and custom encryption, programmatically building strings at runtime, and splitting unencrypted strings with repeated delimiters to break up keywords. [Bread](https://attack.mitre.org/software/S0432) has also abused Java and JavaScript features to obfuscate code. [Bread](https://attack.mitre.org/software/S0432) payloads have hidden code in native libraries and encrypted JAR files in the data section of an ELF file. [Bread](https://attack.mitre.org/software/S0432) has stored DEX payloads as base64-encoded strings in the Android manifest and internal Java classes.(Citation: Check Point-Joker)(Citation: Google Bread)", "modified": "2022-04-15T17:20:06.338Z", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--f7bebe78-2e21-466d-878b-f70be6c0e94a", "created": "2021-01-07T17:02:31.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T19:56:32.861Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can access the device's contact list.(Citation: Zscaler TikTok Spyware) ", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--f92fe9dd-7296-42f6-904e-e245c438376e", "created": "2020-12-14T15:02:35.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:25:06.012Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) can request device administrator permissions.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--34b6abb0-d199-46bb-af21-b65560e75658", "created": "2022-04-01T19:06:40.361Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-01T19:06:40.361Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--90d4d964-efa2-46ac-adc2-759886e07158", "created": "2020-10-29T17:48:27.325Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:11:02.157Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) has used HTTPS for C2 communication.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--18d3f4c7-2888-4d27-9ac7-b7ade1a1c04c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "NYTimes-BackDoor", "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.", "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:23:04.150Z", "description": "[Adups](https://attack.mitre.org/software/S0309) transmitted the full contents of text messages.(Citation: NYTimes-BackDoor)", "relationship_type": "uses", "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--0b1f2735-97d9-4f4a-9967-9fa1464bb651", "created": "2023-04-11T19:54:52.711Z", "revoked": false, "external_references": [ { "source_name": "cleafy_sova_1122", "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-11T19:54:52.711Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can programmatically tap the screen or swipe.(Citation: cleafy_sova_1122)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--9d2a9348-5d0a-43b0-8776-e9bbddc659c7", "created": "2023-03-20T18:48:56.995Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:48:56.995Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a82d3cfb-7ef2-4e39-a6e1-3097d7b106f7", "type": "relationship", "created": "2019-03-11T15:13:40.425Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "Karl Dominguez. (2011, September 27). ANDROIDOS_ANSERVER.A. Retrieved November 30, 2018.", "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROIDOS_ANSERVER.A", "source_name": "TrendMicro-Anserver2" } ], "modified": "2019-10-15T19:55:04.517Z", "description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) gathers the device OS version, device build version, manufacturer, and model.(Citation: TrendMicro-Anserver2)", "relationship_type": "uses", "source_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--9c284d41-21ef-4009-bb47-3ae09b08f38d", "created": "2022-04-01T17:06:06.950Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to location information. Users should also protect their account credentials and enable multi-factor authentication options when available. ", "modified": "2022-04-01T17:06:06.950Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--828417ec-c444-41c8-95b4-c339c5ecf62b", "created": "2022-03-30T20:48:00.360Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device.", "modified": "2022-03-30T20:48:00.360Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--4ff5f854-bfe9-45bc-b11a-196cf826b760", "created": "2022-03-30T14:41:20.735Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "Android Changes to System Broadcasts", "url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts", "description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "Android 8 introduced additional limitations on the implicit intents that an application can register for.(Citation: Android Changes to System Broadcasts)", "modified": "2022-03-30T14:41:20.735Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--2b0f4c1d-8d99-4e80-8555-d9a454d5cab7", "created": "2023-03-20T18:55:33.546Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:55:33.546Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--29dc105c-0b1b-4645-85ef-436c096bd3e2", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "FireEye-RuMMS", "description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:24:38.256Z", "description": "[RuMMS](https://attack.mitre.org/software/S0313) uploads incoming SMS messages to a remote command and control server.(Citation: FireEye-RuMMS)", "relationship_type": "uses", "source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--4ad83f33-c64a-4ad6-ab6f-0548c9dde257", "type": "relationship", "created": "2020-10-29T17:48:27.469Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Exobot", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020." } ], "modified": "2020-10-29T17:48:27.469Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can forward SMS messages.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--14143e21-51bf-4fa7-a949-d22a8271f590", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "source_name": "TrendMicro-RCSAndroid" } ], "modified": "2019-08-09T17:53:48.780Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can record audio using the device microphone.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--91831379-b0da-4019-a7bb-17e53cda9d0b", "type": "relationship", "created": "2020-12-31T18:25:05.131Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CYBERWARCON CHEMISTGAMES", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020." } ], "modified": "2020-12-31T18:25:05.131Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has utilized native code to decrypt its malicious payload.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--706c698c-aa8d-4fac-a6c1-2e047c3f965c", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-BrainTest", "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "Original samples of [BrainTest](https://attack.mitre.org/software/S0293) download their exploit packs for rooting from a remote server after installation.(Citation: Lookout-BrainTest)", "relationship_type": "uses", "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--1417d832-3fa5-4a87-a40b-5ca2d4ee5d1c", "created": "2022-04-01T14:59:39.294Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Apple regularly provides security updates for known OS vulnerabilities.", "modified": "2022-04-01T14:59:39.294Z", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--6a5f151f-36cb-496a-9d0c-d726f1b00d4e", "created": "2023-03-16T18:26:45.940Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-16T18:26:45.940Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--cc4ae06f-0258-4fe9-b63a-334d283e766d", "type": "relationship", "created": "2021-02-08T16:36:20.774Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "BlackBerry Bahamut", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021." } ], "modified": "2021-05-24T13:16:56.495Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has encrypted application strings using AES in ECB mode and Blowfish, and stored strings encoded in hex during Operation BULL. Further, in Operation BULL, encryption keys were stored within the application’s launcher icon file.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--be17dc63-5b0a-491a-be5f-132058444c3a", "type": "relationship", "created": "2019-08-09T17:52:13.352Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "modified": "2019-08-09T17:52:31.877Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) has the ability to take pictures using the device camera.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--c49bae52-63b4-4e5e-adfd-65a0e852ed76", "created": "2023-03-20T18:42:18.058Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:42:18.058Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--33857221-2543-4a7f-8255-b0d140d70ad7", "type": "relationship", "created": "2020-07-20T13:27:33.461Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." } ], "modified": "2020-08-10T21:57:54.686Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can record call audio.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--cdb9788e-7d16-482e-92b6-cbde0b3de357", "type": "relationship", "created": "2020-12-17T20:15:22.408Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." } ], "modified": "2020-12-17T20:15:22.408Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can track the device’s location.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--98dec4bf-6753-4d7a-8983-d4fd6d1d892a", "created": "2020-11-20T16:37:28.475Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T19:52:20.309Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect the device’s contact list.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--8b8a9c44-c8a4-4f30-a3d8-a23310f6c090", "created": "2023-03-20T18:58:30.773Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:58:30.773Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--72a88d43-4144-444e-8f71-ac0d19ae3710", "type": "relationship", "created": "2020-09-14T14:13:45.256Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout eSurv", "url": "https://blog.lookout.com/esurv-research", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020." } ], "modified": "2020-09-14T14:13:45.256Z", "description": "[eSurv](https://attack.mitre.org/software/S0507) can track the device’s location.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c2536a3c-bb84-42b7-8ac6-05f26205a4ad", "created": "2021-10-01T14:42:49.159Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "SecureList BusyGasper", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can utilize the device’s sensors to determine when the device is in use and subsequently hide malicious activity. When active, it attempts to hide its malicious activity by turning the screen’s brightness as low as possible and muting the device.(Citation: SecureList BusyGasper)", "modified": "2022-04-12T10:01:44.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--b0d0541d-caeb-43c0-906c-2e1e2ec25f69", "created": "2019-10-14T19:14:18.673Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Group IB Gustuff Mar 2019", "description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.", "url": "https://www.group-ib.com/blog/gustuff" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:32:47.359Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) hides its icon after installation.(Citation: Group IB Gustuff Mar 2019) ", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--43eeee7f-339a-4f6e-9df3-ccbf08ecf358", "type": "relationship", "created": "2020-11-10T17:08:35.664Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-01T19:48:44.840Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has looked for specific applications, such as MiCode.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--c89f8f8d-222b-4b83-9fa4-47fd716a271f", "created": "2020-06-26T15:12:40.100Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "ESET DEFENSOR ID", "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.", "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:49:00.042Z", "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) abuses the accessibility service to auto-start the malware on device boot. This is accomplished by receiving the `android.accessibilityservice.AccessibilityService` intent.(Citation: ESET DEFENSOR ID)", "relationship_type": "uses", "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--e3a961ec-8184-4143-b8c2-c33ea0503678", "type": "relationship", "created": "2020-09-24T15:34:51.315Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" } ], "modified": "2020-09-24T15:34:51.315Z", "description": "[Dendroid](https://attack.mitre.org/software/S0301) can take photos and record videos.(Citation: Lookout-Dendroid)", "relationship_type": "uses", "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--3d65c2b7-c907-45e1-b942-95f7d765e749", "created": "2023-03-20T18:53:34.056Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:53:34.056Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "target_ref": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--2d1b46d5-cc2e-4312-adf2-43fb130a506b", "created": "2021-02-17T20:49:24.542Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:22:40.300Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) can run arbitrary shell commands.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--c61c16a9-8d1a-4329-b784-ba71f8421b33", "created": "2023-03-20T19:00:09.608Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T19:00:09.608Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7b3fa5cb-bd70-47e0-acfb-7db99e29e70f", "created": "2022-04-01T18:49:19.284Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Recent versions of Android modified how device administrator applications are uninstalled, making it easier for the user to remove them. Android 7 introduced updates that revoke standard device administrators’ ability to reset the device’s passcode.", "modified": "2022-04-01T18:49:19.284Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--bd1e016a-1ebb-4f30-9342-998f656dd8b8", "created": "2022-04-15T15:57:32.958Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:21:49.009Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can enable app installation from unknown sources.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--17adf4c2-e278-41fc-9183-cda5c8b74de7", "created": "2022-03-31T19:53:01.320Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-31T19:53:01.320Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--eca69d9c-7c27-4147-ad7a-a1c30317df1d", "type": "relationship", "created": "2019-08-09T18:06:11.672Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "source_name": "Lookout Dark Caracal Jan 2018" } ], "modified": "2019-08-09T18:06:11.672Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) can take pictures with both the front and rear-facing cameras.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--910009da-65c0-4e6a-aeb2-386c643d1c0e", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Zscaler-SuperMarioRun", "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 – DroidJack RAT. Retrieved January 20, 2017.", "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:24:53.701Z", "description": "[DroidJack](https://attack.mitre.org/software/S0320) captures SMS data.(Citation: Zscaler-SuperMarioRun)", "relationship_type": "uses", "source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--48552acc-5f1a-422f-90fa-37108446f36d", "created": "2022-03-30T19:14:20.374Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-30T19:14:20.374Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa", "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--60db521a-ae2d-4a9a-8c6d-47a5528f1ecb", "type": "relationship", "created": "2020-01-27T17:05:58.308Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", "source_name": "Trend Micro Bouncing Golf 2019" } ], "modified": "2020-01-27T17:05:58.308Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) encodes its configurations using a customized algorithm.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--0b1e5e78-9ee1-4fc3-9fe7-dc069b59e77d", "created": "2020-05-04T14:04:56.179Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Google Bread", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Bread](https://attack.mitre.org/software/S0432) payloads have used several commercially available packers.(Citation: Google Bread)", "modified": "2022-04-15T17:20:54.552Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--1f8f0021-6992-476c-ba1c-232542dc1633", "created": "2023-03-20T18:58:52.857Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:58:52.857Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--65803bfa-7601-44ad-95ea-64d8bfd778a4", "type": "relationship", "created": "2020-04-08T15:51:25.157Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric Ginp", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020." } ], "modified": "2020-04-08T15:51:25.157Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) can capture device screenshots and stream them back to the C2.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--3616bacc-6f6e-41f2-832c-cdbbae9622f3", "created": "2020-11-24T17:55:12.830Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:21:42.102Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can read SMS messages.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--bba8b056-acbe-4fed-b890-965a446d7a3c", "created": "2022-04-01T18:45:00.923Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Users should be warned against granting access to accessibility features and device administration services, and to carefully scrutinize applications that request these dangerous permissions. Users should be taught how to boot into safe mode to uninstall malicious applications that may be interfering with the uninstallation process.", "modified": "2022-04-01T18:45:00.923Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--71490fdb-e271-4a67-b932-5288924b1dae", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-DualToy", "description": "Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.", "url": "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[DualToy](https://attack.mitre.org/software/S0315) collects the connected iOS device’s information including IMEI, IMSI, ICCID, serial number and phone number.(Citation: PaloAlto-DualToy)", "relationship_type": "uses", "source_ref": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--e87aa0d6-241f-4f72-bdb6-54e8d5584ae2", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "NYTimes-BackDoor", "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.", "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:42:14.121Z", "description": "[Adups](https://attack.mitre.org/software/S0309) transmitted call logs.(Citation: NYTimes-BackDoor)", "relationship_type": "uses", "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--7accde36-cb29-43c6-8c66-6486efd867a8", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "modified": "2019-10-10T15:27:22.157Z", "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather GPS coordinates.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--a5b37f26-7629-4195-9536-12e349e5843b", "created": "2023-03-20T18:51:04.334Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:51:04.334Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--4a67b14a-e489-4e8f-b545-5bdf134e146e", "type": "relationship", "created": "2020-04-24T15:06:33.519Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." } ], "modified": "2020-04-24T15:06:33.519Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect messages from GSM, WhatsApp, Telegram, Facebook, and Threema by reading the application’s notification content.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--3841024e-1047-40fa-9e25-ac6d5c14612a", "created": "2023-02-28T21:41:22.768Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-29T21:25:52.302Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can request permission to view device contacts.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4cb926c1-c242-45c2-be46-07c22435a8a5", "created": "2022-09-30T19:23:02.689Z", "revoked": false, "external_references": [ { "source_name": "Cylance Dust Storm", "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2022-09-30T19:23:02.689Z", "description": "During [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors used Android backdoors that would send information and data from a victim's mobile device to the C2 servers.(Citation: Cylance Dust Storm)", "relationship_type": "uses", "source_ref": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--bd889077-d4bd-4475-8e1f-6f507a7bedb9", "created": "2022-04-01T13:19:41.207Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-01T13:19:41.207Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--9b8b51fb-c380-4516-b109-821f015506d4", "created": "2023-03-20T15:40:26.994Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T15:40:26.994Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--61071d73-fcdf-4820-afd0-e3f0983e0a71", "created": "2019-07-10T15:42:09.606Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:01:46.513Z", "description": "[Dark Caracal](https://attack.mitre.org/groups/G0070) controls implants using standard HTTP communication.(Citation: Lookout Dark Caracal Jan 2018) ", "relationship_type": "uses", "source_ref": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--08c81253-975c-4780-8e85-c72bc6a90c88", "created": "2020-10-29T19:21:23.225Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "WeLiveSecurity AdDisplayAshas", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can generate revenue by automatically displaying ads.(Citation: WeLiveSecurity AdDisplayAshas)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--0c558826-5cea-422e-8e67-83e53c04d409", "created": "2020-06-26T15:32:25.146Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "CheckPoint Cerberus", "url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/", "description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Cerberus](https://attack.mitre.org/software/S0480) communicates with the C2 using HTTP requests over port 8888.(Citation: CheckPoint Cerberus)", "modified": "2022-04-20T16:37:46.192Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--bc4e848a-adb7-40a2-94a1-d5ab9854ff0f", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler-SpyNote", "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" } ], "modified": "2019-10-10T15:24:09.378Z", "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can copy files from the device to the C2 server.(Citation: Zscaler-SpyNote)", "relationship_type": "uses", "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--66c7fdcf-b9ef-429e-81b2-e97e971cfb42", "type": "relationship", "created": "2020-11-10T17:08:35.593Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-11-10T17:08:35.593Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has seen native libraries used in some reported samples (Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--cf4243f5-562a-457f-bb15-d45a2047f7ca", "created": "2019-09-03T19:45:48.510Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.", "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:10:15.827Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two collects a list of nearby base stations.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--e05b61a4-ba8a-4aa5-813b-ad76de5945a8", "type": "relationship", "created": "2020-09-24T15:34:51.433Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" } ], "modified": "2020-09-24T15:34:51.433Z", "description": "[Dendroid](https://attack.mitre.org/software/S0301) can record audio and outgoing calls.(Citation: Lookout-Dendroid)", "relationship_type": "uses", "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--09d08f16-9e4d-4279-9a8c-bdda7afdb37d", "created": "2023-02-06T19:01:08.265Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T17:07:32.636Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) has encoded files, such as exploit binaries, to potentially use during and after the rooting process.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--d933bba1-61ab-4fea-b7db-7e2a4f4146e7", "type": "relationship", "created": "2020-12-14T15:02:35.230Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Securelist Asacub", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/", "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020." } ], "modified": "2020-12-14T15:02:35.230Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) has encrypted C2 communications using Base64-encoded RC4.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--4e7a1b10-0f68-4a48-a13d-0c7bc13fb819", "type": "relationship", "created": "2019-08-07T15:57:13.412Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky Riltok June 2019", "url": "https://securelist.com/mobile-banker-riltok/91374/", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019." } ], "modified": "2019-09-15T15:36:42.312Z", "description": "[Riltok](https://attack.mitre.org/software/S0403) can retrieve a list of installed applications. Installed application names are then checked against an adversary-defined list of targeted applications.(Citation: Kaspersky Riltok June 2019)", "relationship_type": "uses", "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--edfb68d0-5efd-4fb5-93f9-c432535686cb", "created": "2019-09-04T15:38:56.881Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "CyberMerchants-FlexiSpy", "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T19:56:00.761Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can collect device contacts.(Citation: CyberMerchants-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--fb62afa9-d593-44f8-840d-bd5c595a1228", "created": "2022-04-01T18:44:46.780Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.", "modified": "2022-04-01T18:44:46.780Z", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--f857935b-653a-4b9a-a2dc-59c042059a39", "created": "2023-03-20T15:56:04.673Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T15:56:04.673Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041", "type": "relationship", "created": "2017-10-25T14:48:53.742Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2020-06-24T15:08:18.481Z", "description": "Enterprise policies should prevent enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development).", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--455b1287-5784-42b4-91fb-01dac007758d", "created": "2020-09-29T13:24:15.234Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Lookout-Dendroid", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Dendroid](https://attack.mitre.org/software/S0301) can open a dialog box to ask the user for passwords.(Citation: Lookout-Dendroid)", "modified": "2022-04-12T10:01:44.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--e7b7e813-4867-46fe-bf86-6f367553d765", "type": "relationship", "created": "2019-11-21T16:42:48.456Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/", "source_name": "SecureList - ViceLeaker 2019" }, { "source_name": "Bitdefender - Triout 2018", "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/", "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020." } ], "modified": "2020-01-21T14:20:50.455Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can copy arbitrary files from the device to the C2 server, can exfiltrate browsing history, can exfiltrate the SD card structure, and can exfiltrate pictures as the user takes them.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--aa40d01f-0741-4bf2-bacd-75e1f3a77af0", "created": "2022-04-01T16:52:03.322Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-01T16:52:03.322Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "target_ref": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--950e1476-83ca-4e81-b542-c91a19b206d7", "type": "relationship", "created": "2020-04-24T17:46:31.466Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020." } ], "modified": "2020-04-24T17:46:31.466Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can collect device information such as network operator, model, brand, and OS version.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--ad0c873b-9e45-44e0-adaf-529921ee7a77", "type": "relationship", "created": "2020-06-26T15:32:25.035Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Cerberus", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020." }, { "source_name": "CheckPoint Cerberus", "url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/", "description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020." } ], "modified": "2020-06-26T15:32:25.035Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can collect device information, such as the default SMS app and device locale.(Citation: Threat Fabric Cerberus)(Citation: CheckPoint Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--81e1311e-4fe1-4177-ae12-1d50037c5e4f", "created": "2020-06-02T14:32:31.906Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Volexity Insomnia", "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/", "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) has communicated with the C2 using HTTPS requests over ports 43111, 43223, and 43773.(Citation: Volexity Insomnia)", "modified": "2022-04-20T16:40:05.898Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--3f2daf2e-c28c-46cd-bf91-ae35e873f365", "created": "2019-09-04T14:28:15.950Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:35:59.273Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can delete arbitrary files on the device, and can also uninstall itself and clean up staging files.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--42536c96-ae61-41ab-a1bf-3e7d126a4000", "created": "2022-03-30T15:13:42.462Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-30T15:13:42.462Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--694857ba-92e8-462e-8900-a9f6fdcf495d", "type": "relationship", "created": "2020-12-31T18:25:05.133Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CYBERWARCON CHEMISTGAMES", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020." } ], "modified": "2020-12-31T18:25:05.133Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has encrypted its DEX payload.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--4943cca6-69b1-4565-ac09-87ebda04584c", "created": "2022-04-01T18:52:02.211Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Users should be taught the dangers of rooting or jailbreaking their device.", "modified": "2022-04-01T18:52:02.211Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--0b1aae4b-4dcd-41b6-a708-1441e5a24070", "created": "2022-04-15T17:18:44.185Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "Talos Gustuff Apr 2019", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Gustuff](https://attack.mitre.org/software/S0406) obfuscated command information using a custom base85-based encoding.(Citation: Talos Gustuff Apr 2019)", "modified": "2022-04-15T17:18:44.185Z", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--bc0d2cbb-30fa-40e6-a250-bf6e5d8f9005", "created": "2018-10-17T00:14:20.652Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Kaspersky-Skygofree", "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Skygofree](https://attack.mitre.org/software/S0327) can be controlled via binary SMS.(Citation: Kaspersky-Skygofree)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--2908f0f6-2408-41a1-aaab-cf3e7db06aad", "created": "2020-12-24T21:55:56.752Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:26:16.282Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has used exploits to root devices and install additional malware on the system partition.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--5c447471-2b97-4d96-b75f-1cbb574b39cf", "created": "2023-03-20T15:46:49.646Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T15:46:49.646Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--aaf55dd1-33df-4f02-8025-eaae01f30b33", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T19:53:38.161Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) collects contact list information.(Citation: Lookout-EnterpriseApps)", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--82f12052-783e-40e4-8079-d9c030c310fd", "created": "2022-03-30T20:08:40.223Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Android and iOS include system partition integrity mechanisms that could detect unauthorized modifications. ", "modified": "2022-03-30T20:08:40.223Z", "relationship_type": "mitigates", "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--e35b013b-89e8-41b3-a518-7737234ab71b", "type": "relationship", "created": "2020-01-27T17:05:58.312Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", "source_name": "Trend Micro Bouncing Golf 2019" } ], "modified": "2020-01-27T17:05:58.312Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can take screenshots.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--5b670281-0054-42b4-8e54-ea01a692f5bf", "type": "relationship", "created": "2021-10-01T14:42:48.900Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." } ], "modified": "2021-10-01T14:42:48.900Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can open a hidden menu when a specific phone number is called from the infected device.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--67c2b73d-cd51-4894-a7bd-fdd5d14b33a2", "created": "2019-09-03T20:08:00.704Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Talos Gustuff Apr 2019", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Gustuff](https://attack.mitre.org/software/S0406) code is both obfuscated and packed with an FTT packer.(Citation: Talos Gustuff Apr 2019)", "modified": "2022-04-15T17:18:58.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--759a2e09-32b6-4857-9b6d-adf5dcee142b", "type": "relationship", "created": "2020-12-14T15:02:35.286Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Securelist Asacub", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/", "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020." } ], "modified": "2020-12-14T15:02:35.286Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) can collect various pieces of device network configuration information, such as mobile network operator.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--ad2c8b49-bbfb-47dd-84bb-cd4dbc49a64c", "type": "relationship", "created": "2019-09-03T19:45:48.512Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." } ], "modified": "2019-09-11T13:25:19.210Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two attempts to connect to port 22011 to provide a remote reverse shell.(Citation: SWB Exodus March 2019)", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--0bc73eaf-a771-4ed0-b1f9-081ff4ca73ad", "created": "2023-03-20T18:55:03.385Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:55:03.385Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--069b2328-442b-491e-962d-d3fe01f0549e", "created": "2019-09-04T14:28:15.479Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Lookout-Monokle", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Monokle](https://attack.mitre.org/software/S0407) can be controlled via email and SMS from a set of \"control phones.\"(Citation: Lookout-Monokle)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--fd8a4b6d-0e7b-4105-ad7b-576836be6394", "created": "2021-02-08T16:36:20.639Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:07:15.780Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has region-locked their malicious applications during their Operation BULL campaign.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--5a50d9da-3fa5-443e-8367-8a0520d58cae", "created": "2020-12-24T22:04:27.902Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:04:02.992Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has used HTTP POST requests for C2.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--34dd5c26-eec9-4288-8e53-677271d490b2", "created": "2023-01-18T19:46:02.646Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T18:43:57.834Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use accessibility event logging to steal data in text fields.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--89d0de37-87ba-4aa8-832a-a2305e658a7d", "created": "2023-03-20T15:55:09.279Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T15:55:09.279Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--d358ac0b-4c67-44e3-939b-24cd36d3c3fb", "created": "2020-09-11T16:22:03.294Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T19:58:57.686Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect the device’s cell tower information.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--19f220fd-94e8-4c8f-971d-ad37d7eeee80", "created": "2022-03-31T19:51:41.431Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device.", "modified": "2022-03-31T19:51:41.431Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--12de5aeb-9427-4665-81a0-257c76d6f188", "created": "2023-03-03T16:20:48.781Z", "revoked": false, "external_references": [ { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-03T16:20:48.781Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has replaced device apps with ones it has downloaded.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--88ded3fb-759e-4e96-946b-e7148c54856e", "created": "2022-04-08T16:29:30.371Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-08T16:29:30.371Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--0b531974-1a28-4f16-ba34-1f7c8371b6b2", "created": "2023-03-20T15:28:54.837Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T15:28:54.837Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--59aaa62b-a629-42c8-9bd2-8e75810135a9", "created": "2022-04-05T19:52:32.201Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-05T19:52:32.201Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ce26f077-c47a-4185-8ed7-ec0d9ae2b625", "created": "2022-03-31T16:33:55.074Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-31T16:33:55.074Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--14474366-938a-4359-bf24-e2c718adfaf5", "type": "relationship", "created": "2020-06-26T14:55:13.382Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason EventBot", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020." } ], "modified": "2020-06-26T14:55:13.382Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) can download new libraries when instructed to.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--c65661a6-6047-4901-ac2c-3ca4b1bbbb28", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Zscaler-SuperMarioRun", "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 – DroidJack RAT. Retrieved January 20, 2017.", "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:24:32.173Z", "description": "[DroidJack](https://attack.mitre.org/software/S0320) captures call data.(Citation: Zscaler-SuperMarioRun)", "relationship_type": "uses", "source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--8a961514-3372-4c3e-b7ee-e3d053c3d5f3", "type": "relationship", "created": "2020-09-11T14:54:16.615Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "url": "https://blog.lookout.com/desert-scorpion-google-play", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." } ], "modified": "2020-09-11T14:54:16.615Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can record videos.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--670a0995-a789-4674-9e91-c74316cdef90", "type": "relationship", "created": "2020-09-11T14:54:16.621Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "url": "https://blog.lookout.com/desert-scorpion-google-play", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." } ], "modified": "2020-09-11T14:54:16.621Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can record audio from phone calls and the device microphone.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f28a2873-281f-405b-bad0-4a93dac8a5ee", "created": "2020-11-24T17:55:12.895Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Talos GPlayed", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[GPlayed](https://attack.mitre.org/software/S0536) can show a phishing WebView pretending to be a Google service that collects credit card information.(Citation: Talos GPlayed)", "modified": "2022-04-12T10:01:44.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--886849fc-f83c-4d69-b700-bfad0def765d", "created": "2023-03-16T18:32:30.054Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-16T18:32:30.054Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--f4cc3b3a-284d-4a2d-9ab8-e7fa916c4012", "type": "relationship", "created": "2020-12-14T14:52:03.218Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Sophos Red Alert 2.0", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020." } ], "modified": "2020-12-14T14:52:03.218Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can obtain the running application.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--50ad2a8c-ed45-4376-be31-8bafa26ba794", "type": "relationship", "created": "2020-04-08T15:41:19.451Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cofense Anubis", "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." } ], "modified": "2020-04-08T15:41:19.451Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can collect the device’s ID.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--fb5c6c5e-53d4-4bb9-b9cf-74170058b19b", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "source_name": "Lookout-StealthMango" } ], "modified": "2019-10-15T19:44:36.125Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) collected and exfiltrated data from the device, including sensitive letters/documents, stored photos, and stored audio files.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--716f68ee-1e77-4254-8f67-d8f3c71db678", "type": "relationship", "created": "2021-09-20T13:59:00.498Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", "source_name": "Lookout-Monokle" } ], "modified": "2021-09-20T13:59:00.498Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can be controlled via phone call from a set of \"control phones.\"(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a28a53e9-7a42-4f81-bced-0efbc3128cbd", "type": "relationship", "created": "2019-09-04T15:38:56.597Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf", "source_name": "FortiGuard-FlexiSpy" } ], "modified": "2019-09-10T14:59:25.979Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) encrypts its configuration file using AES.(Citation: FortiGuard-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--c720fd30-5694-42b7-bf77-d948f7ba2b6f", "created": "2020-06-24T18:24:35.707Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:30:27.616Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can extract the device’s keychain.(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--b4180067-52b6-4109-91df-52fd9a7ed2e8", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) gathers audio from the microphone.(Citation: Lookout-EnterpriseApps)", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--f7c5c344-4310-4e2a-a5aa-133f3d132fff", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "source_name": "Lookout-StealthMango" } ], "modified": "2019-08-09T17:59:49.021Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) can perform GPS location tracking as well as capturing coordinates as when an SMS message or call is received.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--fff16b5e-49c2-45e2-8b3a-fd5f82c96dd9", "created": "2020-04-08T15:51:25.149Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:30:28.587Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) can download the device’s contact list.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--eb27258f-6bb9-49b5-928e-b66f37f8f16e", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "TrendMicro-XLoader", "description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:24:55.047Z", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) requests Android Device Administrator access.(Citation: TrendMicro-XLoader)", "relationship_type": "uses", "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--58c15bce-1593-4be1-ae56-7e7b2634fc56", "created": "2020-06-26T15:32:25.045Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:27:05.040Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can collect SMS messages from a device.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a299e0a6-cada-4629-a6c6-ed73dc4422aa", "type": "relationship", "created": "2020-11-24T17:55:12.903Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020." } ], "modified": "2020-11-24T17:55:12.903Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) has base64-encoded the exfiltrated data, replacing some of the base64 characters to further obfuscate the data.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--2ebd5c4c-af03-4874-a6fd-1e58d51cc055", "created": "2020-01-27T17:05:58.310Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:28:20.439Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can collect SMS messages.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4af26643-880f-4c34-a4a8-23e89b950c9d", "created": "2019-09-04T15:38:56.883Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "CyberMerchants-FlexiSpy", "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:18:38.582Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can collect the device calendars.(Citation: CyberMerchants-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--93c20f43-6684-471c-910f-d9577f289677", "created": "2018-10-17T00:14:20.652Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Lookout-StealthMango", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018." } ], "x_mitre_deprecated": false, "revoked": false, "description": "In at least one case, [Stealth Mango](https://attack.mitre.org/software/S0328) may have been installed using physical access to the device by a repair shop.(Citation: Lookout-StealthMango)", "modified": "2022-04-19T15:47:05.436Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--8ed14c81-0b30-4bfc-8552-439aa0e920c3", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "NYTimes-BackDoor", "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.", "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[Adups](https://attack.mitre.org/software/S0309) transmitted location information.(Citation: NYTimes-BackDoor)", "relationship_type": "uses", "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--c264d954-8b5f-4be1-acf0-6387b7f04fae", "type": "relationship", "created": "2021-02-17T20:43:52.407Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout FrozenCell", "url": "https://blog.lookout.com/frozencell-mobile-threat", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020." } ], "modified": "2021-02-17T20:43:52.407Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has gathered the device manufacturer, model, and serial number.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--8bc21e5d-b6bb-4c93-9419-19a12061de52", "created": "2023-01-19T18:07:52.146Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-29T21:19:25.438Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) can exfiltrate collected user data, including credentials and authorized cookies, via email.(Citation: trendmicro_tianyspy_0122) ", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--0791f28b-d06f-4fee-9cdb-85a6fd2eed61", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-WireLurker", "description": "Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.", "url": "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[WireLurker](https://attack.mitre.org/software/S0312) monitors for iOS devices connected via USB to an infected OSX computer and installs downloaded third-party applications or automatically generated malicious applications onto the device.(Citation: PaloAlto-WireLurker)", "relationship_type": "uses", "source_ref": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--2cdd5474-620c-499e-8b9c-835505febc2c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Kaspersky-MobileMalware", "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", "url": "https://securelist.com/mobile-malware-evolution-2013/58335/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:00:45.438Z", "description": "[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) uses Google Cloud Messaging (GCM) for command and control.(Citation: Kaspersky-MobileMalware)", "relationship_type": "uses", "source_ref": "malware--d89c132d-7752-4c7f-9372-954a71522985", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--eb784dcf-4188-47e2-9217-837b262acfb9", "created": "2022-04-01T18:43:01.860Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.", "modified": "2022-04-01T18:43:01.860Z", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--c8d0d360-eb9e-4fb4-97a2-efaf6d4f1059", "created": "2023-03-20T18:51:23.032Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:51:23.032Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "target_ref": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--dff37d8a-b7ca-409b-b4eb-581ca3a74bb5", "created": "2020-04-08T15:41:19.445Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Trend Micro Anubis", "url": "https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html", "description": "K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021." }, { "source_name": "Cofense Anubis", "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Anubis](https://attack.mitre.org/software/S0422) can retrieve the C2 address from Twitter and Telegram.(Citation: Cofense Anubis)(Citation: Trend Micro Anubis)", "modified": "2022-04-20T17:57:23.327Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--ced70cea-b2ac-45b8-9f7d-779eedbdf06c", "type": "relationship", "created": "2020-01-27T17:05:58.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", "source_name": "Trend Micro Bouncing Golf 2019" } ], "modified": "2020-01-27T17:05:58.273Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can record audio and phone calls.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--442dd700-2d7d-4cad-8282-9027e4f69133", "created": "2022-03-30T20:31:41.927Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "New OS releases frequently contain additional limitations or controls around device location access.", "modified": "2022-03-30T20:31:41.927Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--58c0fe4b-612d-4fc6-973f-16914b0f4b72", "type": "relationship", "created": "2020-11-24T17:55:12.900Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020." } ], "modified": "2020-11-24T17:55:12.900Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can collect the device’s IMEI, phone number, and country.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--6176a297-3097-42e2-b1c2-815e7fd8c81c", "type": "relationship", "created": "2020-01-21T15:29:27.041Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList - ViceLeaker 2019", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/", "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019." } ], "modified": "2020-01-21T15:29:27.041Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can download attacker-specified files.(Citation: SecureList - ViceLeaker 2019)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--b7cf1c31-8722-4eeb-ae59-66936c15fa87", "type": "relationship", "created": "2021-01-05T20:16:20.495Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." } ], "modified": "2021-01-05T20:16:20.495Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can collect device photos and credentials from other applications.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--972f0703-f4d7-42d2-8ca2-bec175dac0bf", "type": "relationship", "created": "2020-09-11T14:54:16.617Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "url": "https://blog.lookout.com/desert-scorpion-google-play", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." } ], "modified": "2020-09-11T14:54:16.617Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect account information stored on the device.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--873b98de-d7cf-471b-9aa2-229eb03c9165", "type": "relationship", "created": "2020-09-15T15:18:12.459Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason FakeSpy", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020." } ], "modified": "2020-09-15T15:18:12.459Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect device information, including OS version and device model.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--25655385-5b0d-4700-a59f-d5d043625b84", "created": "2023-02-06T18:50:50.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T17:13:16.813Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can use rooting exploits to silently give itself permissions or install additional malware.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--5ec3fcbb-d2ac-44ba-a2d4-99e7ddacf3a2", "created": "2023-03-20T18:59:57.364Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:59:57.364Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b40e34ad-b699-4196-aa07-5bd71fe8f213", "created": "2022-04-20T17:31:58.697Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Corona Updates](https://attack.mitre.org/software/S0425) has exfiltrated data using FTP.(Citation: TrendMicro Coronavirus Updates)", "modified": "2022-04-20T17:31:58.697Z", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--37047267-3e56-453c-833e-d92b68118120", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--06348e22-9a06-4e4c-a57c-e438462e7fce", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "source_name": "Kaspersky-Skygofree" } ], "modified": "2019-08-09T18:08:07.173Z", "description": "[Skygofree](https://attack.mitre.org/software/S0327) can record audio via the microphone when an infected device is in a specified location.(Citation: Kaspersky-Skygofree)", "relationship_type": "uses", "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--aa8e45c2-4276-451b-b1eb-59c396bf720a", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Gooligan Citation", "description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.", "url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/" } ], "modified": "2019-10-10T15:18:51.154Z", "description": "[Gooligan](https://attack.mitre.org/software/S0290) executes Android root exploits.(Citation: Gooligan Citation)", "relationship_type": "uses", "source_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--6f9f892e-56ec-480b-aa40-337f20f2bb9c", "type": "relationship", "created": "2020-11-10T17:08:35.624Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-11-10T17:08:35.624Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can dynamically load additional functionality.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--2359ad4b-b00b-4fd5-aef8-2d2be8bcf081", "created": "2023-01-18T19:19:01.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T17:52:20.587Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can use Accessibility Services to disable Google Play Protect.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--3f81a680-3151-4608-b83f-550756632013", "type": "relationship", "created": "2020-07-20T13:58:53.604Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-XLoader-FakeSpy", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020." } ], "modified": "2020-09-24T15:12:24.301Z", "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) can obtain the device’s IMEM, ICCID, and MEID.(Citation: TrendMicro-XLoader-FakeSpy)", "relationship_type": "uses", "source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--506d657b-1634-442e-8179-7187f82feb3a", "created": "2020-12-24T21:55:56.691Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:38:17.926Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed the call logs.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d2d7476e-66a4-4d46-877c-6e80678bbb38", "created": "2022-04-01T18:43:25.764Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "System partition integrity mechanisms, such as Verified Boot, can detect the unauthorized modification of system files.", "modified": "2022-04-01T18:43:25.764Z", "relationship_type": "mitigates", "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--1577a79c-5f70-41cc-95bd-2407cfd1acbd", "type": "relationship", "created": "2020-06-26T15:12:40.094Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ESET DEFENSOR ID", "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/", "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020." } ], "modified": "2020-06-26T15:12:40.094Z", "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) can abuse the accessibility service to perform actions on behalf of the user, including launching attacker-specified applications to steal data.(Citation: ESET DEFENSOR ID)", "relationship_type": "uses", "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--6f30b02b-5d88-453d-af1e-305a75bfaf87", "type": "relationship", "created": "2020-06-26T15:12:40.098Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ESET DEFENSOR ID", "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/", "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020." } ], "modified": "2020-06-26T15:12:40.098Z", "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) can retrieve a list of installed applications.(Citation: ESET DEFENSOR ID)", "relationship_type": "uses", "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f6098dca-3a9e-4991-8d51-1310b12161b6", "created": "2017-12-14T16:46:06.044Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Lookout-PegasusAndroid", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) uses SMS for command and control.(Citation: Lookout-PegasusAndroid)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--97408547-bacd-4308-a8be-556e9ff04951", "created": "2023-03-20T18:55:23.628Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:55:23.628Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--4df6a22e-489f-400c-b953-cc53bfb708a3", "type": "relationship", "created": "2020-09-14T14:13:45.296Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout eSurv", "url": "https://blog.lookout.com/esurv-research", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020." } ], "modified": "2020-09-14T14:13:45.296Z", "description": "[eSurv](https://attack.mitre.org/software/S0507)’s iOS version can collect device information.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--e269e6a2-a709-4aa1-a260-f3f0d0284056", "type": "relationship", "created": "2020-12-24T22:04:27.919Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-24T22:04:27.919Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has extracted messages from chat programs, such as WeChat.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--352fabc8-48fe-4190-92b3-49b00348bb22", "created": "2019-03-11T15:13:40.454Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "TrendMicro-Anserver", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/", "description": "Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) uses encrypted content within a blog site for part of its command and control. Specifically, the encrypted content contains URLs for other servers to be used for other aspects of command and control.(Citation: TrendMicro-Anserver)", "modified": "2022-04-18T19:04:48.388Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8", "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--c393fe8f-5708-40eb-ada9-6ca0d9b16c7d", "created": "2023-03-15T16:34:51.794Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-15T16:34:51.794Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--aeeadd6b-30d3-4b4f-ac61-fd0bc367b415", "created": "2022-03-30T14:50:07.291Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Device attestation could detect unauthorized operating system modifications.", "modified": "2022-03-30T14:50:07.291Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--0bbe5936-04bf-4c9a-bb43-cd37f36c3349", "created": "2020-10-29T19:01:13.826Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Microsoft MalLockerB", "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.", "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:44:31.187Z", "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) has registered to receive 14 different broadcast intents for automatically triggering malware payloads. (Citation: Microsoft MalLockerB)", "relationship_type": "uses", "source_ref": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3a8fea40-69ba-4cfe-b577-c3112a60887a", "created": "2022-04-01T14:51:51.593Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to notifications. ", "modified": "2022-04-01T14:51:51.593Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--5a2bff26-f5e5-41f9-b3da-a558988ef3f3", "type": "relationship", "created": "2020-06-26T14:55:13.351Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason EventBot", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020." } ], "modified": "2020-06-26T14:55:13.351Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) can collect a list of installed applications.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--32958f57-ad9b-4fe1-abf3-6f92df895014", "type": "relationship", "created": "2019-08-05T13:22:03.917Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "source_name": "Lookout Dark Caracal Jan 2018" } ], "modified": "2019-08-09T18:06:11.873Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) stores domain information and URL paths as hardcoded AES-encrypted, base64-encoded strings.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--19b95b83-bac0-455f-882f-0209abddb76f", "created": "2022-04-05T20:11:35.619Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Applications that properly encrypt network traffic may evade some forms of AiTM behavior. ", "modified": "2022-04-05T20:11:35.619Z", "relationship_type": "mitigates", "source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--b610c587-576a-40cc-9f76-6362455c8ff4", "created": "2023-03-20T18:43:01.334Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:43:01.334Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--86170d29-0e41-44d0-94b0-de7d23718302", "created": "2022-04-05T19:42:39.957Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "Android 12 Features", "url": "https://developer.android.com/about/versions/12/features", "description": "Google. (2022, April 4). Features and APIs Overview. Retrieved April 5, 2022." } ], "x_mitre_deprecated": false, "revoked": false, "description": "The `HIDE_OVERLAY_WINDOWS` permission was introduced in Android 12 allowing apps to hide overlay windows of type `TYPE_APPLICATION_OVERLAY` drawn by other apps with the `SYSTEM_ALERT_WINDOW` permission, preventing other applications from creating overlay windows on top of the current application.(Citation: Android 12 Features)", "modified": "2022-04-05T19:51:47.956Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--c3c0ff44-71bb-4774-a850-7b7c9dccb619", "created": "2023-03-20T18:44:04.803Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:44:04.803Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c1512591-7440-4a69-93b9-fe439a4c197e", "created": "2022-03-28T19:40:40.860Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-28T19:40:40.860Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--c23d9eff-1d4e-479f-a114-acc535540a23", "created": "2023-03-20T18:46:51.895Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:46:51.895Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3fd2785f-f0eb-4aa9-8a10-e1c9a88b372a", "created": "2020-06-26T14:55:13.304Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Cybereason EventBot", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[EventBot](https://attack.mitre.org/software/S0478) can display popups over running applications.(Citation: Cybereason EventBot)", "modified": "2022-04-12T10:01:44.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a9689f2c-ad8f-4861-8cad-d78e07fd1530", "type": "relationship", "created": "2020-01-27T17:05:58.213Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", "source_name": "Trend Micro Bouncing Golf 2019" } ], "modified": "2020-01-27T17:05:58.213Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain a list of installed applications.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--cfa1d194-7401-46ba-bfed-5f311aeb22d3", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Kaspersky-WUC", "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T19:54:13.685Z", "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole contact list data stored both on the the phone and the SIM card.(Citation: Kaspersky-WUC)", "relationship_type": "uses", "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--bd952153-4902-4fc4-8e2e-b7c7b8bad7f1", "created": "2023-01-18T19:13:15.991Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T18:11:24.686Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) has code to use Firebase Cloud Messaging for receiving C2 instructions.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a76d731b-484c-442a-b1a3-255d8398aefd", "type": "relationship", "created": "2019-10-10T15:22:52.545Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-RCSAndroid", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/" } ], "modified": "2019-10-10T15:22:52.545Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can collect passwords for Wi-Fi networks and online accounts, including Skype, Facebook, Twitter, Google, WhatsApp, Mail, and LinkedIn.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--ce645a25-160f-443d-b288-fdd108b78a06", "created": "2020-09-11T16:22:03.269Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:41:00.652Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect the device’s call log.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--d22f2c45-d6fa-419a-8f25-65ea37529ccc", "created": "2019-09-04T14:28:15.412Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:19:04.639Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve calendar event information including the event name, when and where it is taking place, and the description.(Citation: Lookout-Monokle) ", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--0f116d99-9ce4-4790-aeda-ad9199d8bf7b", "created": "2023-02-28T20:31:03.379Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" }, { "source_name": "bitdefender_flubot_0524", "description": "Filip TRUȚĂ, Răzvan GOSA, Adrian Mihai GOZOB. (2022, May 24). New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike. Retrieved February 28, 2023.", "url": "https://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-31T22:06:56.734Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can send SMS phishing messages to other contacts on an infected device.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--848581bc-bf8f-40e2-871e-cd67042b4adf", "created": "2023-01-18T19:14:40.120Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T17:59:26.448Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can use overlays to steal user banking credentials entered into legitimate sites.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--0ce5bf43-39e1-4afb-a939-1984cc2d235c", "created": "2022-04-01T18:51:44.595Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "System partition integrity mechanisms, such as Verified Boot, can detect the unauthorized modification of system files.", "modified": "2022-04-01T18:51:44.595Z", "relationship_type": "mitigates", "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--de7e3a71-1152-481c-8e5c-88f53852cab6", "created": "2022-04-01T15:16:53.239Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-01T15:16:53.239Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a67c5611-00bc-4e1a-a1be-2512a2bcf072", "type": "relationship", "created": "2020-09-11T15:14:34.064Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SMS KitKat", "url": "https://android-developers.googleblog.com/2013/10/getting-your-sms-apps-ready-for-kitkat.html", "description": "S.Main, D. Braun. (2013, October 14). Getting Your SMS Apps Ready for KitKat. Retrieved September 11, 2020." } ], "modified": "2020-10-22T17:04:15.708Z", "description": "Users should be encouraged to be very careful with what applications they grant SMS access to. Further, users should not change their default SMS handler to applications they do not recognize.(Citation: SMS KitKat)", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--042a4f26-612e-4ed5-b7f3-911a47ec5d71", "created": "2022-04-18T15:49:00.561Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "SecureList BusyGasper", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can download text files with commands from an FTP server and exfiltrate data via email.(Citation: SecureList BusyGasper)", "modified": "2022-04-18T15:49:00.561Z", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--37047267-3e56-453c-833e-d92b68118120", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--95fec5e4-d48a-471f-8223-711cd32659b8", "created": "2022-04-01T18:49:51.050Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-01T18:49:51.050Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1", "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--e135cefa-f019-479d-86eb-438972df73e0", "created": "2019-09-04T15:38:56.702Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "FortiGuard-FlexiSpy", "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:48:30.652Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) installs boot hooks into `/system/su.d`.(Citation: FortiGuard-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--c9b3d86a-9c5e-4fe3-9c1c-dbd0bb89a74b", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://www.wandera.com/reddrop-malware/", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.", "source_name": "Wandera-RedDrop" } ], "modified": "2019-10-15T19:27:27.997Z", "description": "[RedDrop](https://attack.mitre.org/software/S0326) collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.(Citation: Wandera-RedDrop)", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--c86918a3-6e41-4dfb-8b18-650fff596801", "type": "relationship", "created": "2020-09-11T16:22:03.207Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout ViperRAT", "url": "https://blog.lookout.com/viperrat-mobile-apt", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020." } ], "modified": "2020-09-11T16:22:03.207Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect device photos, PDF documents, Office documents, browser history, and browser bookmarks.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--adc9957c-fa57-4e81-9231-b60f01b69859", "type": "relationship", "created": "2020-12-24T22:04:28.010Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-24T22:04:28.010Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) can download new code to update itself.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--2e826926-fd5b-407c-adbc-e998058728d3", "type": "relationship", "created": "2019-09-04T15:38:56.786Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CyberMerchants-FlexiSpy", "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html", "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019." } ], "modified": "2019-09-10T14:59:26.139Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can record both incoming and outgoing phone calls, as well as microphone audio.(Citation: CyberMerchants-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--2e59d381-eac6-41c6-a5e6-f9617c10259e", "type": "relationship", "created": "2020-06-02T14:32:31.888Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Volexity Insomnia", "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/", "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020." } ], "modified": "2020-06-02T14:32:31.888Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) obfuscates various pieces of information within the application.(Citation: Volexity Insomnia) ", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--1d027925-7d63-459c-b5a5-48ffb49ba1de", "created": "2023-03-20T15:57:00.953Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T15:57:00.953Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--0a28b2f2-ca0e-4d9f-9840-26e8ce944012", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2018-10-17T00:14:20.652Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a", "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ce6c7f21-91a5-4d63-bd03-a6b57e025afe", "created": "2017-10-25T14:48:53.746Z", "x_mitre_version": "1.0", "x_mitre_deprecated": false, "revoked": false, "description": "A locked bootloader could prevent unauthorized modifications to protected operating system files. ", "modified": "2022-03-30T20:07:33.678Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58", "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--5d37400f-80f9-4500-9357-185650e5a7b2", "created": "2023-02-06T18:54:13.573Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T17:14:02.866Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can use HTTP to communicate with the C2 server.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--0569a1e0-1eb5-4e87-ae09-b698571012ef", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:22:32.033Z", "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather SMS messages.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--825ffecc-090f-44c8-87be-f7b72e07f987", "created": "2022-04-01T18:43:15.716Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action.", "modified": "2022-04-01T18:43:15.716Z", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--9c302eb1-1810-48a5-b34d-6aae303d2097", "created": "2022-04-01T15:16:26.387Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Users should be instructed to not open links in applications they don’t recognize.", "modified": "2022-04-01T15:16:26.387Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--e8768455-4d0c-4e3c-a901-1fc871227745", "created": "2022-03-30T17:54:56.603Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-30T17:54:56.603Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--4920a041-86f7-495b-896c-4d964950ed7e", "type": "relationship", "created": "2020-12-17T20:15:22.454Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." } ], "modified": "2020-12-17T20:15:22.454Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) has contained native libraries.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--25de6cf6-38d5-4d1e-b3f1-6956a0ff0ac3", "created": "2023-03-03T16:26:48.531Z", "revoked": false, "external_references": [ { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-03T16:26:48.531Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has collected compromised device MAC addresses.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3abcd7f4-5f6d-4b5d-9b37-eee68751dcbd", "created": "2022-04-01T15:02:43.475Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-01T15:02:43.475Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--a2803d73-f5bf-4815-bfbf-662c372e1f5a", "created": "2023-03-20T18:53:52.174Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:53:52.174Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--fb587f81-1300-438d-a33b-f8d08530788b", "created": "2019-07-10T15:35:43.704Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:41:13.182Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) exfiltrates data using HTTP.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a808c887-b2b8-4b05-9cab-47c918e48d48", "type": "relationship", "created": "2020-12-14T15:02:35.257Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Securelist Asacub", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/", "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020." } ], "modified": "2020-12-14T15:02:35.257Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) can send SMS messages from compromised devices.(Citation: Securelist Asacub) ", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--e245e45a-71a8-408d-8f32-7b7337bffc26", "created": "2023-01-18T19:19:58.007Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T18:10:23.208Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can hide its application icon.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--bb83ee25-8875-4806-9f69-ac39bf7cb402", "created": "2021-10-01T14:42:49.178Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:25:39.509Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect SMS messages.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--2065382f-45ae-4b9a-a77c-027ecd6c1735", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "TrendMicro-RCSAndroid", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:23:38.651Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can collect SMS, MMS, and Gmail messages.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--24de6f6e-86d3-4e4e-a965-3e0435205f48", "created": "2020-09-24T15:34:51.298Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:24:09.872Z", "description": "[Dendroid](https://attack.mitre.org/software/S0301) can intercept SMS messages.(Citation: Lookout-Dendroid)", "relationship_type": "uses", "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4b7e117b-0c82-49d0-bee6-119158b3355b", "created": "2023-02-28T20:32:37.800Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-02-28T20:32:50.168Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can disable Google Play Protect to prevent detection.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--57293fc9-8838-4acd-a16f-48f516d0921e", "created": "2020-04-08T15:51:25.122Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:29:51.699Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) hides its icon after installation.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--80ac52f9-ffa4-4b6e-b420-95d1b69ae9d9", "type": "relationship", "created": "2021-01-05T20:16:20.502Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." } ], "modified": "2021-01-05T20:16:20.502Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can take screenshots.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d663cb6f-9fc8-48a0-827f-29757b12ae71", "created": "2022-03-30T20:53:54.296Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-30T20:53:54.296Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5e74f4f8-5057-42f4-9796-aee60122cf6d", "created": "2019-09-23T13:36:08.451Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "securelist rotexy 2018", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Rotexy](https://attack.mitre.org/software/S0411) procedurally generates subdomains for command and control communication.(Citation: securelist rotexy 2018)", "modified": "2022-04-12T10:01:44.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--e33106e1-16ef-41b8-8d47-78c9f2b4dceb", "created": "2020-11-10T17:08:35.846Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has used specially crafted SMS messages to control the target device.(Citation: Lookout Uyghur Campaign) ", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--15eccf44-e528-41fb-9cb8-834c8c0ca9d9", "type": "relationship", "created": "2020-04-24T17:46:31.582Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020." } ], "modified": "2020-04-24T17:46:31.582Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--b45cf5e0-7427-4d5c-be2c-22f5231493d1", "type": "relationship", "created": "2021-10-01T14:42:49.184Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." } ], "modified": "2021-10-01T14:42:49.184Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect the device’s location information based on cellular network or GPS coordinates.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--9432fabf-9487-469c-86c9-b9d26b013c85", "created": "2022-04-01T13:13:10.587Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Call Log access an uncommonly needed permission, so users should be instructedto use extra scrutiny when granting access to their call logs. ", "modified": "2022-04-01T13:13:10.587Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a98c127b-8da9-4ea5-980e-d154ea541ec9", "created": "2022-04-01T17:08:15.158Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "CSRIC5-WG10-FinalReport", "url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf", "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017." } ], "x_mitre_deprecated": false, "revoked": false, "description": "Filtering requests by checking request origin information may provide some defense against spurious operators.(Citation: CSRIC5-WG10-FinalReport) ", "modified": "2022-04-11T19:09:00.362Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--9e66ec3b-cdd6-461c-bd84-e75316818e15", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CrowdStrike-Android", "description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.", "url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) was believed to have been used to obtain locational data of Ukrainian artillery forces.(Citation: CrowdStrike-Android)", "relationship_type": "uses", "source_ref": "malware--56660521-6db4-4e5a-a927-464f22954b7c", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--319d46b5-de41-4f23-9001-2fa75f954720", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Kaspersky-MobileMalware", "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", "url": "https://securelist.com/mobile-malware-evolution-2013/58335/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:01:14.020Z", "description": "[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) uses Google Cloud Messaging (GCM) for command and control.(Citation: Kaspersky-MobileMalware)", "relationship_type": "uses", "source_ref": "malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--3d5f7bdf-ab59-48f9-89d5-23f9d8cd235b", "type": "relationship", "created": "2021-01-05T20:16:20.419Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." } ], "modified": "2021-01-05T20:16:20.419Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can capture audio from the device’s microphone and can record phone calls.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f051c943-998c-4db2-9dbc-d4755057bcf0", "created": "2022-04-05T19:49:06.417Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.", "modified": "2022-04-05T19:49:06.417Z", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--fa222de8-ba3a-45c1-a7eb-d7502843cc2d", "type": "relationship", "created": "2021-01-05T20:16:20.417Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." } ], "modified": "2021-01-05T20:16:20.417Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can capture photos and videos from the device’s camera.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--9c7c302a-d5ba-4fc9-a4e5-e865fd7fb708", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky-WUC", "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" } ], "modified": "2019-10-15T19:54:10.284Z", "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole geo-location data.(Citation: Kaspersky-WUC)", "relationship_type": "uses", "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--b360a1c8-8939-428e-bc6e-3f4755bd9ee0", "created": "2020-10-29T17:48:27.394Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:30:18.307Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can intercept SMS messages.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4a77c56b-ed2c-4e43-bd0f-7acf9cce1952", "created": "2020-04-24T17:46:31.564Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:25:55.378Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can intercept SMS messages.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--81dbe111-0f02-49a1-9bba-42a31e6bb416", "created": "2023-03-20T18:52:56.247Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:52:56.247Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--6556536c-d5ea-4a3d-ae48-4016d4d762ff", "type": "relationship", "created": "2019-09-04T14:28:16.478Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", "source_name": "Lookout-Monokle" } ], "modified": "2019-10-14T17:52:48.001Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can record the screen as the user unlocks the device and can take screenshots of any application in the foreground. [Monokle](https://attack.mitre.org/software/S0407) can also abuse accessibility features to read the screen to capture data from a large number of popular applications.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7260c8fe-6b3b-48a2-889f-f329fb5b4ef0", "created": "2017-10-25T14:48:53.741Z", "x_mitre_version": "1.0", "x_mitre_deprecated": false, "revoked": false, "description": "Security architecture improvements in each new version of Android and iOS make it more difficult to escalate privileges. Additionally, newer versions of Android have strengthened the sandboxing applied to applications, restricting their ability to enumerate file system contents.", "modified": "2022-03-30T20:25:46.994Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--7e2d9773-1320-4c8f-a595-2b92bf0fd8ed", "created": "2019-07-10T15:35:43.668Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:55:00.294Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) accesses the device contact list.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--d4154247-90ce-43b9-8c17-5c28f67617f5", "type": "relationship", "created": "2020-12-24T21:55:56.747Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-24T21:55:56.747Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed browser history, as well as the files for 15 other apps.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--529107fd-6420-4573-8dbf-cdcd49c2708c", "type": "relationship", "created": "2020-06-26T14:55:13.307Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason EventBot", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020." } ], "modified": "2020-06-26T14:55:13.307Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) can gather device network information.(Citation: Cybereason EventBot) ", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--bdb29822-63c5-4dd0-961b-cdf3f2482adf", "created": "2023-03-16T18:28:28.144Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-16T18:28:28.144Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--3e3cad6c-dd73-43c9-bf99-d4796ba97fb1", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf", "description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.", "source_name": "CrowdStrike-Android" } ], "modified": "2020-03-20T16:37:06.668Z", "description": "(Citation: CrowdStrike-Android)", "relationship_type": "uses", "source_ref": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", "target_ref": "malware--56660521-6db4-4e5a-a927-464f22954b7c", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a09f8daa-aa02-45f1-8dac-9bea355c9415", "type": "relationship", "created": "2020-11-10T17:08:35.819Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-11-10T17:08:35.819Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can access the device’s location and track the device over time.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--8f22a4ce-f075-4343-acb0-1d45c56e91e8", "created": "2022-03-30T18:06:21.355Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "Symantec-iOSProfile2", "url": "https://www.symantec.com/connect/blogs/apple-ios-103-finally-battles-malicious-profiles", "description": "Brian Duckering. (2017, March 27). Apple iOS 10.3 Finally Battles Malicious Profiles. Retrieved September 24, 2018." }, { "source_name": "Android-TrustedCA", "url": "https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html", "description": "Chad Brubaker. (2016, July 7). Changes to Trusted Certificate Authorities in Android Nougat. Retrieved September 24, 2018." } ], "x_mitre_deprecated": false, "revoked": false, "description": "Mobile OSes have implemented measures to make it more difficult to trick users into installing untrusted certificates and configurations. iOS 10.3 and higher add an additional step for users to install new trusted CA certificates and configuration profiles. On Android, apps that target compatibility with Android 7 and higher (API Level 24) default to only trusting CA certificates that are bundled with the operating system, not CA certificates that are added by the user or administrator, hence decreasing their susceptibility to successful adversary-in-the-middle attack.(Citation: Symantec-iOSProfile2)(Citation: Android-TrustedCA)", "modified": "2022-03-30T18:06:21.355Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6209cccd-2877-4941-ac0c-bec3ba7a5544", "created": "2022-04-05T19:40:25.071Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-05T19:40:25.071Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a", "target_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--644a19d3-c94f-40d9-87ac-02ef20b14eda", "created": "2023-02-06T19:02:00.135Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T17:16:28.481Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can grant itself microphone permissions.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--0cabc5f9-045e-490c-a97f-efe00dbade86", "type": "relationship", "created": "2020-01-27T17:05:58.276Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", "source_name": "Trend Micro Bouncing Golf 2019" } ], "modified": "2020-01-27T17:05:58.276Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can record video.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6a5926f3-8c44-4806-83c2-e8ed0be36bc2", "created": "2022-04-01T15:13:55.124Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Users should be instructed to not open links in applications they don’t recognize.", "modified": "2022-04-01T15:13:55.124Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--01965668-d033-4aca-a8e5-71a07070e266", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2018-10-17T00:14:20.652Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09", "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d7007bf2-fcd6-4327-9ffb-bdee5bdeb383", "created": "2022-04-05T20:17:46.149Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-05T20:17:46.149Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--393e8c12-a416-4575-ba90-19cc85656796", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--eef4ffb7-892d-4d3f-826c-0b78d1f22671", "created": "2021-02-08T16:36:20.709Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "BlackBerry Bahamut", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Windshift](https://attack.mitre.org/groups/G0112) has encrypted C2 communications using AES in CBC mode during Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)", "modified": "2022-04-18T16:07:26.671Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--0727ac06-5b46-4f79-abe9-63c1b923d383", "created": "2023-02-06T19:05:56.974Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T17:07:11.541Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) has included encoded shell scripts to potentially aid in the rooting process.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--45505ae7-0e54-4279-82c3-f92f4a832ed9", "created": "2022-04-06T13:57:38.847Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-06T13:57:38.847Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--fcb3a139-f644-45c9-8123-dfea0455143a", "type": "relationship", "created": "2019-08-09T17:56:05.588Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "source_name": "PaloAlto-SpyDealer" } ], "modified": "2019-08-09T17:56:05.588Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) can record video and take photos via front and rear cameras.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--94e111fa-81d1-4882-ae73-4d6ad6367b9f", "created": "2022-03-28T19:25:38.355Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Security updates may contain patches that inhibit system software compromises.", "modified": "2022-03-28T19:25:38.355Z", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--e03b0eb5-32c6-4867-9235-77fe32192983", "type": "relationship", "created": "2019-09-04T15:38:56.916Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CyberMerchants-FlexiSpy", "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html", "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019." } ], "modified": "2019-09-10T14:59:26.071Z", "description": " [FlexiSpy](https://attack.mitre.org/software/S0408) can track the device's location.(Citation: CyberMerchants-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--947e2398-4565-4ae0-8cc2-fb0ef5f9c73f", "created": "2019-12-10T16:07:41.083Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "SecureList DVMap June 2017", "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:21:03.081Z", "description": "[Dvmap](https://attack.mitre.org/software/S0420) can enable installation of apps from unknown sources.(Citation: SecureList DVMap June 2017)", "relationship_type": "uses", "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--1c7d2d48-ea9a-448f-891f-66f635c95f73", "type": "relationship", "created": "2020-07-20T14:12:15.566Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Check Point-Joker", "url": "https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/", "description": "Hazum, A., Melnykov, B., Wernik, I.. (2020, July 9). New Joker variant hits Google Play with an old trick. Retrieved July 20, 2020." } ], "modified": "2020-07-20T14:12:15.566Z", "description": "[Bread](https://attack.mitre.org/software/S0432) can collect device notifications.(Citation: Check Point-Joker)", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--22334426-e99f-4e97-b4dd-17e297da4118", "created": "2020-12-24T21:55:56.696Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:23:54.777Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has captured SMS and MMS messages.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--c5db5bb5-9877-43cd-8851-5aa62405dcb2", "type": "relationship", "created": "2019-11-21T16:42:48.497Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList - ViceLeaker 2019", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/", "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019." } ], "modified": "2019-11-21T16:42:48.497Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can take photos from both the front and back cameras.(Citation: SecureList - ViceLeaker 2019)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--9f9a0349-ca95-4bde-8d8d-af524ce19bc7", "created": "2022-04-15T16:00:43.483Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "SecureList DVMap June 2017", "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:52:33.829Z", "description": "[Dvmap](https://attack.mitre.org/software/S0420) can turn off `VerifyApps`, and can grant Device Administrator permissions via commands only, rather than using the UI.(Citation: SecureList DVMap June 2017)", "relationship_type": "uses", "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--fa1da6db-da32-45d2-98a8-6bbe153166da", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) tracks the device location.(Citation: Lookout-EnterpriseApps)", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--c8559423-10b0-4d5e-9057-65cbfd7ee1c0", "type": "relationship", "created": "2021-10-01T14:42:48.728Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." } ], "modified": "2021-10-01T14:42:48.728Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can send an SMS message after the device boots, messages containing logs, messages to adversary-specified numbers with custom content, and can delete all SMS messages on the device.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--e5113d45-05bd-499f-a2e0-9edc6d7c03b6", "created": "2020-09-14T13:35:45.911Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "ESET-Twitoor", "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/", "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Twitoor](https://attack.mitre.org/software/S0302) can be controlled via Twitter.(Citation: ESET-Twitoor)", "modified": "2022-04-20T17:56:24.292Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", "target_ref": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--02e4aedc-0674-4598-948b-0a32758af9ca", "created": "2022-04-01T13:14:43.195Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-01T13:14:43.195Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--834c9a7e-6520-486d-ba60-c3a8b2f9eb1a", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "TrendMicro-XLoader", "description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:28:46.820Z", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) collects SMS messages.(Citation: TrendMicro-XLoader)", "relationship_type": "uses", "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--6a715733-cde6-4903-b967-35562b584c6f", "type": "relationship", "created": "2020-06-02T14:32:31.878Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Project Zero Insomnia", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020." } ], "modified": "2020-06-02T14:32:31.878Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can obtain a list of installed non-Apple applications.(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--52f7e464-db89-4201-aea8-38d9b44bbd1b", "type": "relationship", "created": "2020-12-18T20:14:47.314Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." } ], "modified": "2020-12-18T20:14:47.314Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has utilized foreground services.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--4efa4953-7854-4144-8837-d7831ccbe35d", "type": "relationship", "created": "2020-04-24T17:46:31.691Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020." } ], "modified": "2020-04-24T17:46:31.691Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can collect a list of installed applications.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f4f4660c-6324-4da4-be2f-ac87fda85a45", "created": "2019-09-15T15:32:17.580Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Android Notification Listeners", "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setPermittedCrossProfileNotificationListeners(android.content.ComponentName,%20java.util.List%3Cjava.lang.String%3E)", "description": "Android. (n.d.). DevicePolicyManager. Retrieved September 15, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "On Android devices with a work profile, the `DevicePolicyManager.setPermittedCrossProfileNotificationListeners` method can be used to manage the list of applications running within the personal profile that can access notifications generated within the work profile. This policy would not affect notifications generated by the rest of the device. The `DevicePolicyManager.setApplicationHidden` method can be used to disable notification access for unwanted applications, but this method would also block that entire application from running.(Citation: Android Notification Listeners) ", "modified": "2022-04-01T14:50:28.686Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--38f37e3f-1d4b-4f04-b176-1cae6d22931e", "type": "relationship", "created": "2020-12-14T14:52:03.310Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Sophos Red Alert 2.0", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020." } ], "modified": "2020-12-14T14:52:03.310Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can send SMS messages.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--086c4c17-dde7-4a1f-90d1-79eb32f3c11f", "created": "2023-03-20T18:58:33.787Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:58:33.787Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--cbb48fa1-0677-4a07-bdbf-eda1827e52f1", "created": "2020-10-29T17:48:27.175Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:18:05.613Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can lock the device with a password and permanently disable the screen.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--54151897-cc7e-4f92-af50-bed41ea78d92", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Kaspersky-MobileMalware", "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", "url": "https://securelist.com/mobile-malware-evolution-2013/58335/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:03:20.968Z", "description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) uses Google Cloud Messaging (GCM) for command and control.(Citation: Kaspersky-MobileMalware)", "relationship_type": "uses", "source_ref": "malware--28e39395-91e7-4f02-b694-5e079c964da9", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--eba4b561-84c9-4d49-a8b8-1842c3ed94f3", "created": "2023-02-06T19:01:39.599Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T17:25:11.903Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can grant itself contact list access.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--35453bbb-c9b3-4421-8452-95efdd290d21", "type": "relationship", "created": "2021-01-20T16:01:19.323Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zimperium z9", "url": "https://blog.zimperium.com/how-zimperiums-z9-detected-unknown-mobile-malware-overlooked-by-the-av-industry/", "description": "zLabs. (2019, November 12). How Zimperium’s z9 Detected Unknown Mobile Malware Overlooked by the AV Industry . Retrieved January 20, 2021." } ], "modified": "2021-01-20T16:01:19.323Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can collect a list of running processes.(Citation: Zimperium z9)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--12852406-87df-4892-a177-e15e81739000", "created": "2023-03-20T18:50:14.139Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:50:14.139Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--b4ef35e9-3dba-49c7-8842-a7dff403241f", "type": "relationship", "created": "2020-12-17T20:15:22.445Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." } ], "modified": "2020-12-17T20:15:22.445Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can access the device’s camera.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ce51f1b3-7813-4517-bbcf-7ae8abf6d2ef", "created": "2020-07-27T14:14:56.993Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Google Security Zen", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Zen](https://attack.mitre.org/software/S0494) can simulate user clicks on ads.(Citation: Google Security Zen)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--6d910b1c-df72-4fcb-9d9e-0bb666c9c108", "created": "2023-03-20T18:57:17.059Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:57:17.059Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--afc0e8b2-2e85-4640-8517-fb2e16831082", "created": "2023-01-18T19:45:27.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T18:56:03.190Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use a WebView with a fake log in site to capture banking credentials.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--0cfbea52-d6ab-467f-97e5-8c74b332b16f", "created": "2020-12-24T21:55:56.749Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:41:52.454Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has hidden its app icon.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--e9b262ba-1c32-40b3-8622-121b30d6df50", "type": "relationship", "created": "2019-10-10T15:14:57.378Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." } ], "modified": "2019-10-10T15:14:57.378Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can extract information on pictures from the Gallery, Chrome and SBrowser bookmarks, and the connected WiFi network's password.(Citation: SWB Exodus March 2019)", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--cce82a76-5390-473d-9e7c-9450d1509d1d", "type": "relationship", "created": "2020-07-15T20:20:59.314Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." } ], "modified": "2020-07-15T20:20:59.314Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can download its second (Loader) and third (Core) stages after the dropper is installed.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--94040d2e-3f60-423c-8a93-a83b61cafe7d", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) update and sends the location of the phone.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--54dac52d-5279-407f-b7b4-5484ae90b98c", "type": "relationship", "created": "2021-02-17T20:43:52.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout FrozenCell", "url": "https://blog.lookout.com/frozencell-mobile-threat", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020." } ], "modified": "2021-02-17T20:43:52.402Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has downloaded and installed additional applications.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--4896e256-fb04-403c-bbb7-2323b158a6e0", "created": "2022-03-30T19:52:05.143Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-30T19:52:05.143Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--f6770c26-ae93-468d-acaa-ab4ffea0e047", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "source_name": "PaloAlto-SpyDealer" } ], "modified": "2019-08-09T17:56:05.682Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) can record phone calls and surrounding audio.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--e8c833ee-4c7d-45a2-b29b-187fe3661c0d", "created": "2020-12-17T20:15:22.496Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T19:55:35.453Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can access the device’s contact list.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--c49cdcb7-3cb8-40ed-a745-0cebad20b1fd", "type": "relationship", "created": "2020-05-04T14:04:56.214Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Bread", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020." } ], "modified": "2020-05-04T15:40:21.076Z", "description": "[Bread](https://attack.mitre.org/software/S0432) has used native code in an attempt to disguise malicious functionality.(Citation: Google Bread)", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--57e441f8-6799-4d1b-8e2a-13d8ac1c8e78", "created": "2023-02-28T20:37:59.846Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-31T22:08:37.122Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can obfuscated class, string, and method names in newer malware versions.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--bee6407a-1f05-4f91-b6e7-a8f8b58fa421", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint-Charger", "description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.", "url": "http://blog.checkpoint.com/2017/01/24/charger-malware/" } ], "modified": "2019-10-09T14:51:42.827Z", "description": "[Charger](https://attack.mitre.org/software/S0323) encodes strings into binary arrays to make it difficult to inspect them. It also loads code from encrypted resources dynamically and includes meaningless commands that mask the actual commands passing through.(Citation: CheckPoint-Charger)", "relationship_type": "uses", "source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--b4735277-516a-4cd2-9607-a3e415945d93", "type": "relationship", "created": "2020-11-10T17:08:35.800Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2021-09-20T13:54:20.494Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can remotely capture device audio.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--3565140f-1570-494d-9d6f-91c9203ece69", "created": "2023-03-20T18:52:29.821Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:52:29.821Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--f65087b4-adf2-4292-a711-7ae829e91397", "type": "relationship", "created": "2019-09-04T14:28:16.385Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", "source_name": "Lookout-Monokle" } ], "modified": "2019-09-04T14:32:12.877Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can list applications installed on the device.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--8c3296f6-3520-4d1b-8b57-bdd48a5aac91", "created": "2020-12-18T20:14:47.369Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:48:00.045Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has registered several broadcast receivers.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--c6a32f64-3105-4a94-8172-28ac0e10dd93", "created": "2023-03-20T18:21:59.396Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:21:59.396Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--75ed2348-279f-4485-97a3-9a5ada27d799", "created": "2023-02-06T19:06:17.406Z", "revoked": false, "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-02-06T19:06:17.406Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can disable Play Protect.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--80778a1e-715d-477b-87fa-e92181b31659", "created": "2020-12-24T21:45:56.967Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:15:22.472Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) can delete various piece of device data, such as contacts, call logs, applications, SMS messages, email, plugins, and files in external storage.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--3b24a287-36e1-49b9-811d-c0080147ff57", "created": "2023-03-20T18:41:47.754Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:41:47.754Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--b6726136-3c20-4921-a0cb-75a66f59107c", "type": "relationship", "created": "2020-09-11T16:22:03.296Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout ViperRAT", "url": "https://blog.lookout.com/viperrat-mobile-apt", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020." } ], "modified": "2020-09-11T16:22:03.296Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect network configuration data from the device, including phone number, SIM operator, and network operator.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--f947d845-4d70-41f3-ae3c-18ea8b44e667", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "ArsTechnica-HummingBad", "description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.", "url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-21T18:51:23.251Z", "description": "[HummingBad](https://attack.mitre.org/software/S0322) can create fraudulent statistics inside the official Google Play Store, and has generated revenue from installing fraudulent apps and displaying malicious advertisements.(Citation: ArsTechnica-HummingBad)", "relationship_type": "uses", "source_ref": "malware--c8770c81-c29f-40d2-a140-38544206b2b4", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--57a069a0-399f-43ab-9efc-50432a41b26b", "created": "2020-12-24T21:55:56.743Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:36:12.585Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has deleted or renamed specific files.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7fe8ab9f-b207-4c39-ab5c-e929a1c949f9", "created": "2019-07-16T14:33:12.113Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Krebs-Triada June 2019", "url": "https://krebsonsecurity.com/2019/06/tracing-the-supply-chain-attack-on-android-2/", "description": "Krebs, B. (2019, June 25). Tracing the Supply Chain Attack on Android. Retrieved July 16, 2019." }, { "source_name": "Google Triada June 2019", "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html", "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Triada](https://attack.mitre.org/software/S0424) was added into the Android system by a third-party vendor identified as Yehuo or Blazefire during the production process.(Citation: Google Triada June 2019)(Citation: Krebs-Triada June 2019)", "modified": "2022-04-19T15:47:32.152Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--cd9e8334-2ff6-4f64-993f-4e11a68ef7ca", "created": "2023-03-20T18:58:19.895Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:58:19.895Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "target_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--bbc6308e-f7f6-40c7-80cb-f760d623c8af", "created": "2023-01-18T21:20:01.333Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T18:56:41.614Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use HTTP to send C2 messages to infected devices.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--035192e3-94f4-426d-9be9-312ddd1ce6a8", "created": "2019-11-21T16:42:48.437Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:22:18.013Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can collect SMS messages.(Citation: SecureList - ViceLeaker 2019)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--891edea2-817c-4eeb-9991-b6e095c269a8", "created": "2020-06-02T14:32:31.903Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:40:06.957Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can retrieve the call history.(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--d32003ba-959b-4377-aa04-f75275c32abf", "created": "2019-07-16T14:33:12.144Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Google Triada June 2019", "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.", "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:40:27.131Z", "description": "[Triada](https://attack.mitre.org/software/S0424) utilized HTTP to exfiltrate data through POST requests to the command and control server.(Citation: Google Triada June 2019) ", "relationship_type": "uses", "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3ebdc17d-401e-4f6a-af51-2dc57437b817", "created": "2019-09-20T18:03:57.062Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Android 10 Execute", "url": "https://developer.android.com/about/versions/10/behavior-changes-all#execute-permission", "description": "Android Developers. (n.d.). Behavior changes: all apps - Removed execute permission for app home directory. Retrieved September 20, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "Applications that target Android API level 29 or higher cannot execute native code stored in the application's internal data storage directory, limiting the ability of applications to download and execute native code at runtime. (Citation: Android 10 Execute)", "modified": "2022-04-01T18:37:44.516Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--6ee69225-7c42-49e6-bfe4-c7009c82e76a", "created": "2023-03-20T18:44:36.073Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:44:36.073Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--429a4b02-f774-4b1e-aaef-5fd9c654dd09", "type": "relationship", "created": "2021-02-08T16:36:20.846Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "BlackBerry Bahamut", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021." } ], "modified": "2021-05-24T13:16:56.596Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has exfiltrated local account data and calendar information as part of Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--148703c5-6d07-439c-a4ff-d77119c70857", "created": "2023-03-20T18:52:21.767Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:52:21.767Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--d886f368-a38b-4cb3-906f-9b284f58b369", "type": "relationship", "created": "2019-12-10T16:07:41.066Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList DVMap June 2017", "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/", "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019." } ], "modified": "2019-12-10T16:07:41.066Z", "description": "[Dvmap](https://attack.mitre.org/software/S0420) decrypts executables from archive files stored in the `assets` directory of the installation binary.(Citation: SecureList DVMap June 2017)", "relationship_type": "uses", "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--7de1af68-d893-40a0-b27a-c9010f5cdc62", "created": "2023-03-20T18:57:14.194Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:57:14.194Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--bfd0d9cb-27e2-42a2-9207-764bb1491962", "created": "2022-03-30T19:54:07.548Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Device attestation could detect devices with unauthorized or unsafe modifications. ", "modified": "2022-03-30T19:54:07.548Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--66ba3094-7c14-41b9-b7c1-814d026156b9", "type": "relationship", "created": "2020-09-11T15:58:40.846Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." } ], "modified": "2020-09-11T15:58:40.846Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can delete and send SMS messages.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--f1130c77-3d20-4c41-9e75-1953bf9b8abc", "created": "2020-09-14T14:13:45.286Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:40:48.237Z", "description": "[eSurv](https://attack.mitre.org/software/S0507) has exfiltrated data using HTTP PUT requests.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--79c3fe5d-585b-401a-8bb4-84bfdc7252a1", "created": "2022-04-06T13:52:46.831Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Android 7 changed how the Device Administrator password APIs function.", "modified": "2022-04-06T13:52:46.831Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--e5ccc5c7-11ee-4357-8dd4-bf23ce2111bb", "created": "2020-12-24T22:04:28.024Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:41:54.548Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has collected call logs.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--b3866c07-e143-4d0d-9176-c2845f85c5ab", "created": "2023-01-18T19:58:21.223Z", "revoked": false, "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-01-18T19:58:21.223Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) has used RSA to encrypt the symmetric encryption key used for C2 messages.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--d0c039cb-c815-4d9c-a100-a45f923bc65b", "type": "relationship", "created": "2020-12-24T21:45:56.981Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-24T21:45:56.981Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) has access to the device’s location.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--10560632-6449-4579-90eb-20fc46dcca08", "created": "2020-10-29T19:21:23.200Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "WeLiveSecurity AdDisplayAshas", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:49:16.886Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can check that the device IP is not in the range of known Google IP addresses before triggering the payload and can delay payload deployment to avoid detection during testing and avoid association with unwanted ads.(Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--373f33be-9b40-44f5-bfd3-db2a9f5fa72c", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "HackerNews-OldBoot", "description": "Sudhir K Bansal. (2014, January 28). First widely distributed Android bootkit Malware infects more than 350,000 Devices. Retrieved December 21, 2016.", "url": "http://thehackernews.com/2014/01/first-widely-distributed-android.html" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[OldBoot](https://attack.mitre.org/software/S0285) uses escalated privileges to modify the init script on the device's boot partition to maintain persistence.(Citation: HackerNews-OldBoot)", "relationship_type": "uses", "source_ref": "malware--2074b2ad-612e-4758-adce-7901c1b49bbc", "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--a1c53fcf-a691-4233-a136-0a51d5a3840f", "created": "2019-09-03T19:45:48.518Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.", "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:11:03.802Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can capture SMS messages.(Citation: SWB Exodus March 2019)", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--38cb6365-40ba-47c6-a5e4-1a9be665f951", "created": "2023-01-19T18:08:14.716Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-01T16:50:04.964Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) has encrypted C2 details, email addresses, and passwords.(Citation: trendmicro_tianyspy_0122) ", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--c021d9b9-3850-425d-b3d2-6b7bd7e62b95", "type": "relationship", "created": "2019-10-18T15:51:48.525Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2019-10-18T15:51:48.525Z", "description": "Users should be advised not to use public charging stations or computers to charge their devices. Instead, users should be issued a charger acquired from a trustworthy source. Users should be advised not to click on device prompts to trust attached computers unless absolutely necessary.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--6920d0d0-27f4-4d29-8622-c8a92090eec3", "created": "2020-07-20T13:27:33.486Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:54:25.851Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can collect the device’s contact list.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--bbe1af69-7303-4205-82d8-5b03c43e39c1", "type": "relationship", "created": "2020-11-24T17:55:12.887Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020." } ], "modified": "2020-11-24T17:55:12.887Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can collect the device’s model, country, and Android version.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--3f5dbd48-5899-4e97-96a6-ad7e68b673cd", "created": "2023-03-20T18:43:03.117Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:43:03.117Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--e928c0ce-2b98-4af5-a990-f690f4306681", "created": "2023-03-20T18:43:46.070Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:43:46.070Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--6cace9e3-f095-4914-bddc-24cec8bcc859", "type": "relationship", "created": "2020-09-24T15:34:51.276Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" } ], "modified": "2020-09-24T15:34:51.276Z", "description": "[Dendroid](https://attack.mitre.org/software/S0301) can collect the device’s photos, browser history, bookmarks, and accounts stored on the device.(Citation: Lookout-Dendroid)", "relationship_type": "uses", "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--54ce9375-cc0f-456e-ac22-e6fe822a6cec", "created": "2022-04-01T15:54:48.924Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Applications very rarely require administrator permission. Developers should be cautioned against using this higher degree of access to avoid being flagged as a potentially malicious application. ", "modified": "2022-04-01T15:54:48.924Z", "relationship_type": "mitigates", "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "target_ref": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--2be3d0a4-2e24-4d04-859e-37d24835ff16", "type": "relationship", "created": "2021-02-17T20:43:52.420Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout FrozenCell", "url": "https://blog.lookout.com/frozencell-mobile-threat", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020." } ], "modified": "2021-02-17T20:43:52.420Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has retrieved device images for exfiltration.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--c659256c-82e3-4f4c-ac70-3d2400cf6695", "type": "relationship", "created": "2020-09-11T16:23:16.363Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "url": "https://blog.lookout.com/desert-scorpion-google-play", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." } ], "modified": "2020-09-11T16:23:16.363Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can send SMS messages.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--8650e2e8-d8bd-472d-8b9b-54befbea05b8", "created": "2022-04-05T19:49:59.027Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-05T19:49:59.027Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--634071ce-d386-4143-8e6e-b88bc077de6d", "type": "relationship", "created": "2020-07-27T14:14:56.961Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Security Zen", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020." } ], "modified": "2020-08-10T22:18:20.782Z", "description": "[Zen](https://attack.mitre.org/software/S0494) can dynamically load executable code from remote sources.(Citation: Google Security Zen)", "relationship_type": "uses", "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--c368c932-7d5a-40e3-a18b-f30e82b9e4e6", "type": "relationship", "created": "2020-10-29T17:48:27.332Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Exobot", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020." } ], "modified": "2020-10-29T17:48:27.332Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can obtain the device’s IMEI, phone number, and IP address.(Citation: Threat Fabric Exobot) ", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a427ce33-d1e1-4c38-a024-e44fc00033d3", "created": "2020-12-14T14:52:03.283Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Sophos Red Alert 2.0", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has communicated with the C2 using HTTP requests over port 7878.(Citation: Sophos Red Alert 2.0)", "modified": "2022-04-20T16:43:23.973Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--f632b0bb-69ce-4678-bc3c-9ddff5a38794", "type": "relationship", "created": "2019-11-21T16:42:48.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/", "source_name": "SecureList - ViceLeaker 2019" }, { "source_name": "Bitdefender - Triout 2018", "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/", "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020." } ], "modified": "2020-01-21T14:20:50.474Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can record audio from the device’s microphone and can record phone calls together with the caller ID.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--d87b468e-f610-4e95-8dfb-8cf029f0e891", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ArsTechnica-HummingBad", "description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.", "url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[HummingBad](https://attack.mitre.org/software/S0322) can exploit unfixed vulnerabilities in older Android versions to root victim phones.(Citation: ArsTechnica-HummingBad)", "relationship_type": "uses", "source_ref": "malware--c8770c81-c29f-40d2-a140-38544206b2b4", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--7965128c-89d6-411e-b765-c60e0cae96c6", "created": "2023-02-06T19:40:36.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-29T21:36:23.084Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can manipulate clipboard data to replace cryptocurrency addresses.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--2cb834dd-d7cf-46f3-a19b-bdbfb5bfee07", "created": "2023-03-20T18:54:25.458Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:54:25.458Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--d7d78682-c9ad-4880-ae6e-3fc79f3737f1", "created": "2019-09-04T15:38:56.809Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "CyberMerchants-FlexiSpy", "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:37:35.704Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can delete data from a compromised device.(Citation: CyberMerchants-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--d54d3475-19ee-4ac5-98b0-ec1ae9336dfb", "created": "2023-03-20T18:58:14.140Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:58:14.140Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--1ed5b4fa-b871-4efa-87ee-1c91dcaa421e", "type": "relationship", "created": "2019-09-03T19:45:48.496Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." } ], "modified": "2019-10-14T16:47:53.226Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two extracts information from Facebook, Facebook Messenger, Gmail, IMO, Skype, Telegram, Viber, WhatsApp, and WeChat.(Citation: SWB Exodus March 2019)", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7657a4d4-1ba3-4b66-83f7-6db5eab14847", "created": "2022-04-06T13:30:03.526Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Users should be taught that Device Administrator permissions are very dangerous, and very few applications need it.", "modified": "2022-04-06T13:30:03.527Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a011bcc6-b5d8-4923-b533-55abec69ff2f", "created": "2022-03-30T20:07:33.291Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-30T20:07:33.291Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--e012da15-7669-4764-ad9d-8a1d817bcca9", "created": "2023-03-20T18:23:04.068Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:23:04.068Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--2f8b5252-551c-4a0d-8e72-8da4050757f3", "type": "relationship", "created": "2021-04-19T14:29:46.530Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2021-04-19T14:29:46.530Z", "description": " [SilkBean](https://attack.mitre.org/software/S0549) can send SMS messages.(Citation: Lookout Uyghur Campaign) ", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--fcc42341-ec3a-4e24-a374-46bed72d061f", "type": "relationship", "created": "2021-10-01T14:42:49.191Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." } ], "modified": "2021-10-01T14:42:49.191Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect data from messaging applications, including WhatsApp, Viber, and Facebook.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--0d82a9ed-4184-4f95-99f4-5ee467fe6594", "created": "2022-04-05T17:14:08.267Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-05T17:14:08.267Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--3b0cb886-dabc-4622-b91f-3851e2a71bf2", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Kaspersky-WUC", "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:02:40.717Z", "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) used HTTP uploads to a URL as a command and control mechanism.(Citation: Kaspersky-WUC)", "relationship_type": "uses", "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--fe794ba6-42be-4d42-a16f-a41473874331", "created": "2022-03-30T15:08:13.679Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "Android-VerifiedBoot", "url": "https://source.android.com/security/verifiedboot/", "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016." } ], "x_mitre_deprecated": false, "revoked": false, "description": "Android Verified Boot can detect unauthorized modifications made to the system partition, which could lead to execution flow hijacking.(Citation: Android-VerifiedBoot) ", "modified": "2022-03-30T15:08:13.679Z", "relationship_type": "mitigates", "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--eb58117c-5803-4f72-a499-5fa888a9a7a5", "created": "2022-04-06T15:47:06.163Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-06T15:47:06.163Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--1c67b72f-7389-4c21-9347-2b1bba07aaaf", "created": "2023-02-06T18:59:46.976Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T17:12:28.993Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can collect device IP address and SIM information.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--2e913583-123a-47af-8872-98fc12ab4a6a", "type": "relationship", "created": "2020-11-24T17:55:12.846Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020." } ], "modified": "2020-11-24T17:55:12.846Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can send SMS messages.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5de0caa8-81f8-453c-b70c-a74e7ea9e5c2", "created": "2022-03-30T19:12:31.481Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-30T19:12:31.481Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", "target_ref": "attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--0e8607f6-daab-44df-b167-105403a4ef41", "created": "2023-01-18T19:57:33.986Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T18:39:39.355Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use the “Direct Reply” feature of Android to automatically reply to notifications with a message provided by C2.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--b37ebb4e-0536-4de0-8e00-7b3d942a02b7", "created": "2023-03-20T15:33:34.181Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T15:33:34.181Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--cf4fe189-58cf-42aa-89c7-75bd0a83a263", "created": "2023-03-15T16:23:59.107Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-15T16:23:59.107Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", "target_ref": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--48854999-1c12-4454-bb7c-051691a081f9", "created": "2022-03-28T19:25:49.640Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Ensure Verified Boot is enabled on devices with that capability.", "modified": "2022-03-28T19:25:49.640Z", "relationship_type": "mitigates", "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--5d2a3a9f-2467-4ac6-ab64-ffe91ec584da", "type": "relationship", "created": "2021-09-24T14:52:41.308Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", "source_name": "Lookout-Monokle" } ], "modified": "2021-09-24T14:52:41.308Z", "description": " [Monokle](https://attack.mitre.org/software/S0407) can hook itself to appear invisible to the Process Manager.(Citation: Lookout-Monokle) ", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--08a43019-d393-451f-a23c-2dfa17ec40b2", "created": "2023-01-18T19:15:24.775Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T17:51:07.963Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can steal incoming SMS messages and send SMS messages from compromised devices. (Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--2bedbf86-2ef0-45bf-950d-b9d072c03bdc", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Kaspersky-WUC", "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:37:02.853Z", "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole call logs.(Citation: Kaspersky-WUC)", "relationship_type": "uses", "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--96569099-db95-4f3c-8ded-6d9cf023e55e", "created": "2019-09-03T20:08:00.717Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Talos Gustuff Apr 2019", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": " [Gustuff](https://attack.mitre.org/software/S0406) can use SMS for command and control from a defined admin phone number.(Citation: Talos Gustuff Apr 2019) ", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a04ae7d7-1500-49c9-bada-1a75a8670f5c", "created": "2019-11-21T19:16:34.820Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "CheckPoint SimBad 2019", "url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/", "description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[SimBad](https://attack.mitre.org/software/S0419) generates fraudulent advertising revenue by displaying ads in the background and by opening the browser and displaying ads.(Citation: CheckPoint SimBad 2019)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--2793d721-df10-4621-8387-f3342def59a1", "created": "2022-03-30T18:14:36.786Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "On iOS, the `allowEnterpriseAppTrust` and `allowEnterpriseAppTrustModification` configuration profile restrictions can be used to prevent users from installing apps signed using enterprise distribution keys. ", "modified": "2022-03-30T18:14:36.786Z", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--98a4a746-e7bf-494c-9ee3-584403d76d3e", "created": "2023-02-28T20:34:18.504Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-31T22:12:45.147Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can use HTTP POST requests on port 80 for communicating with its C2 server.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--049c39ab-c036-457a-9b8f-4318416658b8", "created": "2022-03-30T19:54:24.468Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "A locked bootloader could prevent unauthorized modifications of protected operating system files. ", "modified": "2022-03-30T19:55:15.724Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--38962b26-7cbe-4761-8b4f-50a022167c4d", "created": "2019-09-03T20:08:00.708Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Talos Gustuff Apr 2019", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Gustuff](https://attack.mitre.org/software/S0406) checks for antivirus software contained in a predefined list.(Citation: Talos Gustuff Apr 2019)", "modified": "2022-04-15T16:55:56.825Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--51757971-17ac-40c3-bae7-78365579db49", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "TrendMicro-Obad", "description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:02:27.188Z", "description": "[OBAD](https://attack.mitre.org/software/S0286) abuses device administrator access to make it more difficult for users to remove the application.(Citation: TrendMicro-Obad)", "relationship_type": "uses", "source_ref": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--1284f6fe-d352-415c-9479-82141524380a", "created": "2022-03-30T18:06:48.250Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Typically, insecure or malicious configuration settings are not installed without the user's consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning). ", "modified": "2022-03-30T18:06:48.250Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--f58d3fc4-e0a2-4924-884d-85d7c8f00b8a", "created": "2023-03-20T18:39:10.113Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:39:10.113Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--cc345ae4-0d60-4f21-98b3-596c15118745", "created": "2023-02-06T19:42:46.814Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-29T21:38:03.367Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can send SMS messages.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--6c35f99c-153d-4023-a29a-821488ce5418", "type": "relationship", "created": "2020-04-08T15:41:19.383Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cofense Anubis", "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." } ], "modified": "2020-04-08T15:41:19.383Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can collect a list of installed applications to compare to a list of targeted applications.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a20493e1-4699-405d-a291-c28aae8ed737", "created": "2022-04-18T16:53:24.617Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "Wandera-RedDrop", "url": "https://www.wandera.com/reddrop-malware/", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[RedDrop](https://attack.mitre.org/software/S0326) uses ads or other links within websites to encourage users to download the malicious apps using a complex content distribution network (CDN) and series of network redirects. [RedDrop](https://attack.mitre.org/software/S0326) also downloads additional components (APKs, JAR files) from different C2 servers.(Citation: Wandera-RedDrop) ", "modified": "2022-04-20T16:33:23.507Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--00dc2b34-1b74-4dae-b6e4-b676528d6341", "type": "relationship", "created": "2019-07-16T14:33:12.085Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Triada June 2019", "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html", "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019." } ], "modified": "2020-04-27T16:52:49.480Z", "description": "[Triada](https://attack.mitre.org/software/S0424) utilizes a backdoor in a Play Store app to install additional trojanized apps from the Command and Control server.(Citation: Google Triada June 2019)", "relationship_type": "uses", "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--bf19207a-ac71-436d-8ef4-4ab059b533c8", "created": "2019-09-04T15:38:56.721Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "FortiGuard-FlexiSpy", "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:48:43.225Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) uses root access to establish reboot hooks to re-install the application from `/data/misc/adn`.(Citation: FortiGuard-FlexiSpy) At boot, [FlexiSpy](https://attack.mitre.org/software/S0408) spawns daemons for process monitoring, call monitoring, call managing, and system.(Citation: FortiGuard-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--96490f73-d8ef-4c6b-9a3a-3c66fc963306", "type": "relationship", "created": "2020-05-07T15:33:32.778Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint Agent Smith", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020." } ], "modified": "2020-05-07T15:33:32.778Z", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) exploits known OS vulnerabilities, including Janus, to replace legitimate applications with malicious versions.(Citation: CheckPoint Agent Smith)", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a3a8b2f2-f1aa-49ba-be55-a674f371f209", "type": "relationship", "created": "2020-04-24T15:06:33.449Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." } ], "modified": "2020-04-24T15:06:33.450Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect device network configuration information, such as Wi-Fi SSID and IMSI.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--74eb8469-1cce-40f8-8b6b-486338e8cfbe", "type": "relationship", "created": "2020-07-15T20:20:59.282Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." } ], "modified": "2020-07-15T20:20:59.282Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can record the screen.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--a6bb6c55-3b33-4cd4-981b-055551edc4c2", "created": "2023-01-18T21:24:28.714Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T18:55:39.648Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use a Domain Generation Algorithm to decode the C2 server location.(Citation: nccgroup_sharkbot_0322) ", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--bd6829ee-dc51-477b-9739-1cd1cd304b6c", "created": "2020-09-11T14:54:16.646Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:45:14.199Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can hide its icon.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--5d0fdc8a-af17-4334-88e6-111aa290b22f", "created": "2023-03-20T18:43:14.051Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:43:14.051Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6faacfdd-d17d-4c6e-a33e-5fdea2cc3998", "created": "2020-04-08T15:41:19.385Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Cofense Anubis", "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Anubis](https://attack.mitre.org/software/S0422) can create overlays to capture user credentials for targeted applications.(Citation: Cofense Anubis)", "modified": "2022-04-12T10:01:44.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--cd7a2294-1e14-42e8-b870-d99d73443b88", "created": "2022-04-01T12:37:42.068Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Users should be taught the danger behind granting unnecessary permissions to an application and should be advised to use extra scrutiny when an application requests them. ", "modified": "2022-04-01T12:37:42.068Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--aa1deed1-800c-470b-ac88-eb8013c11ec0", "created": "2019-09-03T20:08:00.711Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Group IB Gustuff Mar 2019", "url": "https://www.group-ib.com/blog/gustuff", "description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019." }, { "source_name": "Talos Gustuff Apr 2019", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Gustuff](https://attack.mitre.org/software/S0406) uses WebView overlays to prompt the user for their device unlock code, as well as banking and cryptocurrency application credentials. [Gustuff](https://attack.mitre.org/software/S0406) can also send push notifications pretending to be from a bank, triggering a phishing overlay.(Citation: Talos Gustuff Apr 2019)(Citation: Group IB Gustuff Mar 2019)", "modified": "2022-04-19T19:42:17.904Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--fda8fe32-6121-4b81-9aa0-4e9596db88b1", "created": "2020-07-15T20:20:59.227Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:33:57.748Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can access SMS messages.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--50bab448-fee6-49e9-a296-498fe06eacc7", "type": "relationship", "created": "2019-11-21T16:42:48.490Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList - ViceLeaker 2019", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/", "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019." } ], "modified": "2019-11-21T16:42:48.490Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can obtain a list of installed applications.(Citation: SecureList - ViceLeaker 2019)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--3c874ffa-63c3-491f-8d8c-623b19a7fdad", "created": "2020-04-24T15:06:33.397Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:37:37.674Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect the device’s call log.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--8b2c2716-a62b-4c3a-a211-d72bb5ed29b9", "created": "2020-09-11T14:54:16.649Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T19:52:05.260Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect the device’s contact list.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--bc79d59b-1828-4133-9f8f-df8cad9543a8", "created": "2019-11-21T16:42:48.459Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:37:19.124Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can delete arbitrary files from the device.(Citation: SecureList - ViceLeaker 2019)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--4819f391-01de-4525-992b-7e4a4f6667de", "type": "relationship", "created": "2020-11-20T15:46:51.603Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec GoldenCup", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020." } ], "modified": "2020-11-20T15:46:51.603Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can take pictures with the camera.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--749dcdbd-9be9-403b-850f-8ee5452b7aed", "created": "2023-03-20T18:58:56.347Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:58:56.347Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--e0c3afc8-4b23-45fc-89cf-2cafbb51291e", "created": "2023-03-03T16:25:52.931Z", "revoked": false, "external_references": [ { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-03T16:25:52.931Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has collected information about installed applications.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--3acbaa64-fb6e-4c26-ada4-1aab88798265", "created": "2021-04-19T14:29:46.510Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:15:42.930Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) has used HTTPS for C2 communication.(Citation: Lookout Uyghur Campaign) ", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--f552ee2f-5e6a-47a1-b6a5-d5e5594feb0d", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "source_name": "Lookout-StealthMango" } ], "modified": "2019-08-09T17:59:49.112Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads information about installed packages.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--268c12df-d3bc-46fa-99e9-32caab50b175", "created": "2022-03-30T15:52:09.759Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Device attestation can often detect jailbroken or rooted devices.", "modified": "2022-03-30T15:52:09.759Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--a5dac41f-4a16-44ea-b279-b84c927ce62d", "created": "2019-09-03T20:08:00.760Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:11:36.853Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) communicates with the command and control server using HTTP requests.(Citation: Talos Gustuff Apr 2019)", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6ba09d73-4ed5-4a37-8191-fc54a8f01696", "created": "2022-03-28T19:38:23.189Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-28T19:38:23.190Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--127e6672-d16a-4370-b277-4d04874a4cfe", "created": "2023-02-06T19:37:24.358Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-11T19:29:31.138Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can use overlays capture banking credentials and credit card information, and can open arbitrary WebViews from the C2.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--289f5e23-088a-4840-a2a6-bab30da2a64b", "created": "2022-04-01T16:51:04.584Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "GoogleIO2016", "url": "https://www.youtube.com/watch?v=XZzLjllizYs", "description": "Adrian Ludwig. (2016, May 19). What's new in Android security (M and N Version). Retrieved December 9, 2016." } ], "x_mitre_deprecated": false, "revoked": false, "description": "Changes were introduced in Android 7 to make abuse of device administrator permissions more difficult.(Citation: GoogleIO2016)", "modified": "2022-04-01T16:51:04.584Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--1db350b2-1e8b-4d58-9086-eac41de1b110", "created": "2022-04-05T17:13:56.584Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-05T17:13:56.584Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--2c5b36b4-5381-4d9e-9ce5-cd7cd19041b1", "created": "2020-07-20T13:27:33.514Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:35:47.258Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can delete files from the device.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--21e179f2-49c9-4ec9-ac7a-b8eae8e15bd9", "created": "2020-07-20T13:27:33.509Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:36:07.297Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can collect the device’s call log.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--8c656539-aa1e-42db-9016-d38f1daaae16", "created": "2023-01-18T19:20:26.156Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T18:06:05.822Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can collect user SMS messages.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--6001f77a-da30-4ebc-85fd-5bf9afe5f0a1", "created": "2023-03-15T16:24:12.588Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-15T16:24:12.588Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--393300c4-6852-466d-a163-1d51330fe055", "created": "2023-03-20T18:45:39.292Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:48:50.839Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--82b58c75-239e-4dac-b848-bc1f3354adc4", "created": "2023-03-20T18:41:18.288Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:41:18.288Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--4ee57616-7205-490c-86c3-c27dcffd8689", "created": "2022-04-06T13:35:43.203Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Recent OS versions have limited access to certain APIs unless certain conditions are met, making [Data Manipulation](https://attack.mitre.org/techniques/T1641) more difficult", "modified": "2022-04-06T13:35:43.203Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--51d31e17-6c80-4ab3-9e8e-6231483e0999", "created": "2020-11-24T17:55:12.818Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:21:12.197Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can register for the `BOOT_COMPLETED` broadcast intent.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a34f3873-3df7-4e93-915c-fc2b4af3444d", "created": "2020-07-15T20:20:59.380Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Bitdefender Mandrake", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Mandrake](https://attack.mitre.org/software/S0485) has used Firebase for C2.(Citation: Bitdefender Mandrake)", "modified": "2022-04-18T19:18:24.378Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--dbef53a9-f9c4-4582-8e93-349ad488de12", "created": "2023-02-28T21:42:06.525Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-29T21:27:42.197Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can request permission to view call logs.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f9d0cfb5-aeda-4de4-9c72-7098297555ae", "created": "2019-09-04T20:01:42.753Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Nightwatch screencap April 2016", "url": "https://wwws.nightwatchcybersecurity.com/2016/04/13/research-securing-android-applications-from-screen-capture/", "description": "Nightwatch Cybersecurity. (2016, April 13). Research: Securing Android Applications from Screen Capture (FLAG_SECURE). Retrieved November 5, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "Application developers can apply the `FLAG_SECURE` property to sensitive screens within their apps to make it more difficult for the screen contents to be captured.(Citation: Nightwatch screencap April 2016) ", "modified": "2022-04-01T13:31:59.712Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--38ec048f-7f6e-4bbd-9455-1b1e54968af4", "created": "2023-03-30T15:18:37.934Z", "revoked": false, "external_references": [ { "source_name": "cleafy_sova_1122", "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-30T15:18:37.934Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can take screenshots and abuse the Android Screen Cast feature to capture screen data.(Citation: cleafy_sova_1122)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--2e3a5d0d-a80a-4606-8be2-208302e995d1", "created": "2020-12-24T21:45:56.920Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:16:17.615Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) has attempted to trick users into enabling installation of applications from unknown sources.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--1250f91c-723d-4b4c-afea-b3a71101951f", "type": "relationship", "created": "2019-08-07T15:57:13.415Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky Riltok June 2019", "url": "https://securelist.com/mobile-banker-riltok/91374/", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019." } ], "modified": "2019-09-15T15:36:42.339Z", "description": "[Riltok](https://attack.mitre.org/software/S0403) can query the device's IMEI.(Citation: Kaspersky Riltok June 2019)", "relationship_type": "uses", "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--269d4409-e287-4ef3-b5f3-765ec03e503e", "created": "2020-06-02T14:32:31.900Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:18:38.700Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) grants itself permissions by injecting its hash into the kernel’s trust cache.(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--d621eba9-676f-47a4-8358-d68eeff2fb9a", "created": "2023-03-03T16:25:09.978Z", "revoked": false, "external_references": [ { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-03T16:25:09.978Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) is believed to have initially infected devices using internet traffic hijacking to generate abnormal popups.(Citation: paloalto_yispecter_1015) ", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--57df3046-2f14-4bb8-93e9-84a9c8b46791", "created": "2022-03-30T19:33:17.520Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge.", "modified": "2022-03-30T19:33:17.520Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--4f2ae057-ef0b-4995-b24d-348a76a74a4f", "created": "2017-12-14T16:46:06.044Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Lookout-Pegasus", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) uses SMS for command and control.(Citation: Lookout-Pegasus)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--75770898-93a7-45e3-bdb2-03172004a88f", "created": "2022-03-30T14:49:47.451Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "Android-VerifiedBoot", "url": "https://source.android.com/security/verifiedboot/", "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016." } ], "x_mitre_deprecated": false, "revoked": false, "description": "Android Verified Boot can detect unauthorized modifications made to the system partition, which could lead to execution flow hijacking.(Citation: Android-VerifiedBoot) ", "modified": "2022-03-30T14:49:47.451Z", "relationship_type": "mitigates", "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6d88242f-e45b-481c-bd41-b66a662618ce", "created": "2022-04-06T13:57:24.730Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-06T13:57:24.730Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--bd351b17-e995-4528-bbea-e1138c51476a", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "source_name": "PaloAlto-SpyDealer" } ], "modified": "2019-08-09T17:56:05.683Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) exfiltrates data from over 40 apps such as WeChat, Facebook, WhatsApp, Skype, and others.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--88ea5004-8bdb-4af4-a2dc-a8c56236ff03", "type": "relationship", "created": "2020-12-17T20:15:22.449Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." } ], "modified": "2020-12-17T20:15:22.449Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can access the device’s microphone.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--37123a8d-5c03-459c-bd0b-c17e2ee75a10", "type": "relationship", "created": "2020-06-26T15:32:25.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Cerberus", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020." } ], "modified": "2020-06-26T15:32:25.074Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can update the malicious payload module on command.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--6294e276-e4ac-4097-a5cd-3b81e0d4498f", "type": "relationship", "created": "2020-12-14T15:02:35.287Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Securelist Asacub", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/", "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020." } ], "modified": "2020-12-14T15:02:35.290Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) has implemented functions in native code.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--b81a284d-34ec-4e61-a073-bf6cd85e4c3f", "created": "2020-10-29T19:01:13.839Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Microsoft MalLockerB", "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.", "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:54:05.374Z", "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) can prevent the user from interacting with the UI by using a carefully crafted \"call\" notification screen. This is coupled with overriding the `onUserLeaveHint()` callback method to spawn a new notification instance when the current one is dismissed. (Citation: Microsoft MalLockerB)", "relationship_type": "uses", "source_ref": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce", "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--2f1e5d77-0054-4f8a-8e01-7c0318278a76", "created": "2019-10-18T14:50:57.472Z", "x_mitre_version": "1.0", "x_mitre_deprecated": false, "revoked": false, "description": "Security updates frequently contain patches for known exploits.", "modified": "2022-03-25T14:12:54.498Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4d7e937d-7ea1-49cb-939c-5244815e51d7", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "FireEye-RuMMS", "description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:03:03.296Z", "description": "[RuMMS](https://attack.mitre.org/software/S0313) uses HTTP for command and control.(Citation: FireEye-RuMMS)", "relationship_type": "uses", "source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--27c8d474-f3f8-4a0e-a317-7e57b9de620c", "type": "relationship", "created": "2020-07-27T14:14:56.954Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Security Zen", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020." } ], "modified": "2020-08-10T22:18:20.777Z", "description": "[Zen](https://attack.mitre.org/software/S0494) can obtain root access via a rooting trojan in its infection chain.(Citation: Google Security Zen)", "relationship_type": "uses", "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--34a8a945-cc6c-474b-8db1-ffe8b5ecf99f", "created": "2019-11-21T19:16:34.776Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "CheckPoint SimBad 2019", "description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.", "url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:44:53.855Z", "description": "[SimBad](https://attack.mitre.org/software/S0419) registers for the `BOOT_COMPLETED` and `USER_PRESENT` broadcast intents, which allows the software to perform actions after the device is booted and when the user is using the device, respectively.(Citation: CheckPoint SimBad 2019)", "relationship_type": "uses", "source_ref": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--7e8956e3-7d90-412d-a82f-d61e43239923", "created": "2023-03-20T18:44:01.387Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:44:01.387Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--b356d405-f6b1-485b-bd35-236b9da766d2", "type": "relationship", "created": "2020-04-24T17:46:31.586Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020." } ], "modified": "2020-04-27T15:27:26.539Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can use the `MediaRecorder` class to record the screen when the targeted application is presented to the user, and can abuse accessibility features to record targeted applications to intercept transaction authorization numbers (TANs) and to scrape on-screen text.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--439d905b-1ad8-461a-ab0d-b2f426cb2c3a", "created": "2023-03-20T18:53:35.012Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:53:35.012Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4e68feca-083f-40ed-88d8-2b6a3935c949", "created": "2023-01-18T19:12:11.201Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T17:53:38.271Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can use the Android `CallScreeningService` to silently block incoming calls.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--38634e49-f19e-41bc-bb6d-e711f0cabd91", "created": "2020-10-29T19:21:23.187Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "WeLiveSecurity AdDisplayAshas", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:42:27.975Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can hide its icon and create a shortcut based on the C2 server response.(Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--93395e61-0d3e-4ea6-9c1b-08d4a04005a0", "created": "2019-08-07T15:57:13.453Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Kaspersky Riltok June 2019", "url": "https://securelist.com/mobile-banker-riltok/91374/", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Riltok](https://attack.mitre.org/software/S0403) can open a fake Google Play screen requesting bank card credentials and mimic the screen of relevant mobile banking apps to request user/bank card details.(Citation: Kaspersky Riltok June 2019)", "modified": "2022-04-12T10:01:44.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b536f233-8c43-4671-b8e8-d72a4806946d", "created": "2022-04-05T17:14:23.789Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-05T17:14:23.789Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--526ce88f-ee58-4a55-a1b2-b72e1b5971aa", "created": "2022-04-01T16:52:36.974Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-01T16:52:36.974Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--86e3c37c-1e4a-450c-850b-c80be8156fe3", "type": "relationship", "created": "2020-05-04T14:04:56.189Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Bread", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020." } ], "modified": "2020-05-04T15:40:21.081Z", "description": "[Bread](https://attack.mitre.org/software/S0432) collects the device’s IMEI, carrier, mobile country code, and mobile network code.(Citation: Google Bread)", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--19df76ee-fa85-43cf-96ce-422d46f29a13", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:12:48.998Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) listens for the `BOOT_COMPLETED` broadcast intent in order to maintain persistence and activate its functionality at device boot time.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4b838636-bfa4-4592-b72f-3044946b8187", "created": "2020-09-14T14:13:45.236Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:53:16.656Z", "description": "[eSurv](https://attack.mitre.org/software/S0507) can exfiltrate the device’s contact list.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--1218ed50-bd44-4f37-baba-1aae998b5a1f", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "PaloAlto-Xbot", "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:17:40.860Z", "description": "[Xbot](https://attack.mitre.org/software/S0298) can remotely lock infected Android devices and ask for a ransom.(Citation: PaloAlto-Xbot)", "relationship_type": "uses", "source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4cccb708-b51b-4e71-94a1-78d6819eaac1", "created": "2023-03-20T15:16:19.428Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T15:16:19.428Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--465b7a4a-32d5-475c-9fb9-6335c44fb0d1", "created": "2022-04-05T19:48:31.354Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-05T19:48:31.354Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a3f36e9e-e2f4-4745-a9a3-0d1231db116d", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "source_name": "Kaspersky-Skygofree" } ], "modified": "2019-08-09T18:08:07.183Z", "description": "[Skygofree](https://attack.mitre.org/software/S0327) can download executable code from the C2 server after the implant starts or after a specific command.(Citation: Kaspersky-Skygofree)", "relationship_type": "uses", "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--535d2425-21aa-4fe5-ae6d-5b677f459020", "created": "2022-03-28T19:41:37.162Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Security updates may contain patches for devices that were compromised at the supply chain level.", "modified": "2022-03-28T19:41:37.162Z", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--0330db55-06e0-45a2-85a6-17617a37fdaf", "created": "2022-04-06T13:57:49.186Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-06T13:57:49.186Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--03038590-e0c3-4751-b6fb-8a9ffff27e1b", "type": "relationship", "created": "2020-12-24T22:04:27.914Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-24T22:04:27.914Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has looked for .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files on external storage.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--d66a3e5f-700e-40d0-b16a-bbb3306256c7", "created": "2023-03-20T15:16:28.177Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T15:16:28.177Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--fcdc2f1f-9787-4faa-86bf-2ed73f15a576", "type": "relationship", "created": "2020-09-14T14:13:45.294Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout eSurv", "url": "https://blog.lookout.com/esurv-research", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020." } ], "modified": "2020-09-14T15:39:17.961Z", "description": "[eSurv](https://attack.mitre.org/software/S0507)’s Android version is distributed in three stages: the dropper, the second stage payload, and the third stage payload which is [Exodus](https://attack.mitre.org/software/S0405).(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--e0f58ab7-b246-4c41-9afc-89b582590809", "type": "relationship", "created": "2020-12-18T20:14:47.374Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." } ], "modified": "2020-12-18T20:14:47.374Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) can download additional modules at runtime via JavaScript `eval` statements.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--7ba30703-c3aa-425a-9482-9e9941fd7038", "type": "relationship", "created": "2020-12-24T21:45:56.961Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-24T21:45:56.961Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) can access the camera on the device.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--006b3910-e9c3-4de8-ba49-dff36b1a3308", "created": "2023-02-06T19:04:33.224Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T17:06:11.934Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can monitor notifications.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--9caf7cd5-fa15-45f0-8e1e-75917ea33af2", "created": "2023-03-20T18:50:32.580Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:50:32.580Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--ffc24804-42db-4be1-a418-7f5ab9de453c", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-NotCompatible", "description": "Tim Strazzere. (2014, November 19). The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/11/19/notcompatible/" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[NotCompatible](https://attack.mitre.org/software/S0299) has the capability to exploit systems on an enterprise network.(Citation: Lookout-NotCompatible)", "relationship_type": "uses", "source_ref": "malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe", "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--e7b33eb5-6c2e-4743-ac8d-c27d5e7121ac", "created": "2020-06-26T15:32:25.060Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:35:13.005Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can uninstall itself from a device on command.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--e889782a-f66b-448e-a466-e55b1bce7b64", "created": "2023-02-28T20:38:25.598Z", "revoked": false, "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-02-28T20:38:25.598Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) has encrypted C2 message bodies with RSA and encoded them in base64.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--481e5d33-eca4-453c-9fec-27ee01d50989", "created": "2023-02-28T21:45:41.365Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-29T21:26:12.006Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can request permission to view files and media.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--7a50961b-9be4-4042-a6a0-878b612c520e", "type": "relationship", "created": "2019-07-10T15:25:57.602Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "modified": "2019-08-12T17:30:07.571Z", "description": "[FinFisher](https://attack.mitre.org/software/S0182) uses the device microphone to record phone conversations.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--b697a198-8949-43e0-b2b8-23498373c920", "created": "2023-03-20T18:37:13.628Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:37:13.628Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--2115228b-c61a-4ebb-829a-df7355635fbf", "created": "2020-12-17T20:15:22.491Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:50:12.639Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can detect if the app is running on an emulator.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--70f8cbed-b20d-4ff2-ad02-8d78e7d49159", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-Xbot", "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[Xbot](https://attack.mitre.org/software/S0298) can encrypt the victim's files in external storage (e.g., SD card) and then request a PayPal cash card as ransom.(Citation: PaloAlto-Xbot)", "relationship_type": "uses", "source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4", "target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--39b854c1-5906-4d14-a0bc-1242c3eaa5b0", "created": "2022-04-11T20:05:56.540Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-11T20:05:56.540Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--4b16e681-9542-4f32-b23a-f1b0caf44b6a", "type": "relationship", "created": "2020-12-24T21:55:56.726Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-24T21:55:56.726Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has downloaded additional code to root devices, such as TowelRoot.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d71fab20-a56c-4404-a65d-aaa37056f16e", "created": "2022-04-01T15:16:16.027Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "Trend Micro iOS URL Hijacking", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/", "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.(Citation: Trend Micro iOS URL Hijacking) Android 6 introduced App Links.", "modified": "2022-04-01T15:16:16.027Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--1a5bde32-aaa9-42d0-ab70-c9f11b0ae81e", "created": "2020-09-14T14:13:45.299Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Lookout eSurv", "url": "https://blog.lookout.com/esurv-research", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[eSurv](https://attack.mitre.org/software/S0507)’s Android version has used public key encryption and certificate pinning for C2 communication.(Citation: Lookout eSurv)", "modified": "2022-04-18T15:58:08.240Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--b9af8369-a6b2-4081-9f07-2ee15d56bffc", "type": "relationship", "created": "2020-06-02T14:32:31.871Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Project Zero Insomnia", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020." } ], "modified": "2020-06-24T18:24:35.795Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect application database files, including Gmail, Hangouts, device photos, and container directories of third-party apps.(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--bff3f22c-660d-4ceb-b1bb-dbd064d363c0", "created": "2023-03-15T16:39:32.117Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-15T16:39:32.117Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--60ad088f-3133-4b0c-a441-e1e06fff1765", "created": "2023-02-06T19:37:56.416Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-29T21:34:29.147Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can gather data about the device.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c6464a84-e23b-412f-b435-5b23853d3643", "created": "2020-09-14T13:35:45.909Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "ESET-Twitoor", "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/", "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Twitoor](https://attack.mitre.org/software/S0302) encrypts its C2 communication.(Citation: ESET-Twitoor)", "modified": "2022-04-20T12:58:23.550Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", "target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--38f96449-dfb1-49db-b0d0-f257c3ee2c5d", "created": "2020-09-11T14:54:16.587Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:25:21.998Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can retrieve SMS messages.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--6bb4de7d-1ef9-4bc8-8d34-62e176d4188a", "created": "2023-03-03T15:42:28.475Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T17:17:24.417Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can send large amounts of device data over its C2 channel, including the device’s manufacturer, model, version and serial number, telephone number, and IP address.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--9373912a-affa-4a3c-ad97-1b8311e228ee", "type": "relationship", "created": "2019-09-04T14:28:15.991Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", "source_name": "Lookout-Monokle" } ], "modified": "2019-09-04T14:32:12.803Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) checks if the device is connected via Wi-Fi or mobile data.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--eef8fb1f-3e8c-44d7-b0d1-1fbad81e392f", "created": "2019-07-16T14:33:12.107Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Kaspersky Triada June 2016", "url": "https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/", "description": "Kivva, A. (2016, June 6). Everyone sees not what they want to see. Retrieved July 16, 2019." }, { "source_name": "Google Triada June 2019", "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html", "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Triada](https://attack.mitre.org/software/S0424) can redirect ad banner URLs on websites visited by the user to specific ad URLs.(Citation: Google Triada June 2019)(Citation: Kaspersky Triada June 2016) ", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--f240e06c-3a5b-4a34-a69c-5fccb4c94150", "type": "relationship", "created": "2020-05-11T16:37:36.673Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html", "source_name": "ThreatFabric Ginp" } ], "modified": "2020-05-11T16:37:36.673Z", "description": " [Ginp](https://attack.mitre.org/software/S0423) can download device logs.(Citation: ThreatFabric Ginp) ", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--6661823b-4fdd-4879-ad5d-64c9a4b12519", "created": "2022-04-05T17:03:53.457Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-05T17:03:53.457Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--08f1a4b1-96c9-44c2-bc5b-5a779541213b", "created": "2019-12-10T16:07:41.081Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "SecureList DVMap June 2017", "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:47:53.438Z", "description": "[Dvmap](https://attack.mitre.org/software/S0420) replaces `/system/bin/ip` with a malicious version. [Dvmap](https://attack.mitre.org/software/S0420) can inject code by patching `libdmv.so` or `libandroid_runtime.so`, depending on the Android OS version. Both libraries are related to the Dalvik and ART runtime environments. The patched functions can only call `/system/bin/ip`, which was replaced with the malicious version.(Citation: SecureList DVMap June 2017)", "relationship_type": "uses", "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--4d4dfc26-3ab7-4798-abf2-be8dc278fdfa", "type": "relationship", "created": "2020-11-24T17:55:12.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020." } ], "modified": "2020-11-24T17:55:12.804Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) has the capability to remotely load plugins and download and compile new .NET code.(Citation: Talos GPlayed) ", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--0800f6bf-00c5-46d8-b876-1eeeb81b741f", "created": "2023-03-20T15:55:32.395Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T15:55:32.395Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--53ebd5b6-e60e-4aa4-a342-de586917f06d", "created": "2023-03-20T18:38:36.873Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:38:36.873Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--3ca453a4-bd78-4087-a93f-9261fb2e3f00", "type": "relationship", "created": "2020-09-15T15:18:12.421Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason FakeSpy", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020." } ], "modified": "2020-09-15T15:18:12.421Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect a list of installed applications.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--1317fb3d-ded3-4b84-8007-147f3b02948a", "created": "2022-04-05T19:52:38.539Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "CSRIC-WG1-FinalReport", "description": "CSRIC-WG1-FinalReport" } ], "x_mitre_deprecated": false, "revoked": false, "description": "Filtering requests by checking request origin information may provide some defense against spurious operators.(Citation: CSRIC-WG1-FinalReport) ", "modified": "2022-04-05T19:52:38.539Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124", "target_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--049b0c71-63e3-47ce-bb0b-149df0344b15", "created": "2020-12-24T21:45:56.965Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:15:59.861Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) can access device contacts.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a87fa426-3968-4d3b-8f8d-8e3c3a9c32f5", "type": "relationship", "created": "2019-09-03T20:08:00.764Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", "source_name": "Talos Gustuff Apr 2019" } ], "modified": "2019-09-15T15:35:33.379Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) gathers information about the device, including the default SMS application, if SafetyNet is enabled, the battery level, the operating system version, and if the malware has elevated permissions.(Citation: Talos Gustuff Apr 2019)", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--90d58c65-acb9-4d7b-89b9-f4b35593c861", "created": "2021-02-08T16:36:20.711Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:06:46.369Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included SMS message exfiltration in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--3997b2a1-2b70-4eeb-aa8f-1053bb3744c2", "created": "2023-03-20T19:00:26.780Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T19:00:26.780Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--e0ebf0cd-9244-4cef-9171-128a12b87b58", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Zscaler-SpyNote", "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:32:29.636Z", "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can read SMS messages.(Citation: Zscaler-SpyNote)", "relationship_type": "uses", "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--7af7d094-3a49-4e5e-99d0-385c79f95f06", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) monitors the victim for status and disables other access to the phone by other jailbreaking software.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--04530307-22d8-4a06-9056-55eea225fabb", "type": "relationship", "created": "2019-07-10T15:35:43.710Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "source_name": "Lookout Dark Caracal Jan 2018" } ], "modified": "2019-08-09T18:06:11.842Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) retrieves messages and decryption keys for popular messaging applications and other accounts stored on the device.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--cd0f76da-ea06-4710-ab1d-53a7e29a6328", "created": "2022-03-30T19:34:09.377Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-30T19:34:09.377Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d01b311d-8741-4b58-b127-88fecb2b0544", "created": "2020-04-08T15:41:19.448Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Cofense Anubis", "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Anubis](https://attack.mitre.org/software/S0422) has a keylogger that works in every application installed on the device.(Citation: Cofense Anubis)", "modified": "2022-04-15T17:33:02.327Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d13724d0-a5e2-433b-86bf-ead04359edec", "created": "2022-04-01T15:13:10.022Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "iOS Universal Links", "url": "https://developer.apple.com/ios/universal-links/", "description": "Apple. (n.d.). Universal Links for Developers. Retrieved September 11, 2020." }, { "source_name": "Android App Links", "url": "https://developer.android.com/training/app-links/verify-site-associations", "description": "Google. (n.d.). Verify Android App Links. Retrieved September 11, 2020." }, { "source_name": "IETF-PKCE", "url": "https://tools.ietf.org/html/rfc7636", "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016." } ], "x_mitre_deprecated": false, "revoked": false, "description": "Developers should use Android App Links(Citation: Android App Links) and iOS Universal Links(Citation: iOS Universal Links) to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE(Citation: IETF-PKCE) should be used to prevent use of stolen authorization codes. ", "modified": "2022-04-01T15:13:10.022Z", "relationship_type": "mitigates", "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--d170a088-b115-4a86-b093-8aa32666a470", "created": "2023-03-15T16:39:55.148Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-15T16:39:55.148Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4e9f021d-3cf4-4790-8f7d-f87f33133446", "created": "2020-12-14T14:52:03.294Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:26:37.661Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can collect SMS messages.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a1814198-1f91-41d4-a413-d55e1a66c8e9", "type": "relationship", "created": "2020-07-20T13:27:33.548Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." } ], "modified": "2020-08-10T22:00:43.490Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) uses `dumpsys` to determine if certain applications are running.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--6d659130-545b-4917-891c-6c1b7d54ed07", "type": "relationship", "created": "2021-01-05T20:16:20.505Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." } ], "modified": "2021-01-05T20:16:20.505Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can send SMS messages.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--299931f0-4c60-4a9b-8a6a-4adb6362e590", "created": "2019-09-23T13:36:08.543Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T16:57:05.633Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) can access and upload the contacts list to the command and control server.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4a408dee-07da-4855-b2ff-be512480ccb5", "created": "2023-01-19T18:08:41.596Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-29T21:18:05.095Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) can gather device UDIDs.(Citation: trendmicro_tianyspy_0122) ", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--ed3293cf-de4f-4a73-98af-24325e8187c9", "created": "2020-04-24T17:46:31.598Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:51:43.135Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can detect if it is running on a rooted device or an emulator.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--afc0f502-39bb-41e3-b4fc-5b5bb1a1175b", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "modified": "2019-10-10T15:27:22.110Z", "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to record calls as well as the victim device's environment.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--fbdbddd7-4980-4061-9192-24a887bc6bad", "type": "relationship", "created": "2020-12-07T14:28:32.141Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Exobot", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020." } ], "modified": "2020-12-07T14:28:32.141Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can open a SOCKS proxy connection through the compromised device.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a3c9d5d6-acc5-46e9-9e4f-b078aeac553c", "created": "2020-12-14T14:52:03.385Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Sophos Red Alert 2.0", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can fetch a backup C2 domain from Twitter if the primary C2 is unresponsive.(Citation: Sophos Red Alert 2.0)", "modified": "2022-04-20T17:56:51.457Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d716163d-2492-4088-9235-b2310312ba27", "created": "2022-04-06T15:44:48.422Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-06T15:44:48.422Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--dcae3b7c-27d2-4377-9dc6-59dae15ac962", "created": "2019-09-23T13:36:08.456Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T16:58:03.072Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) can lock an HTML page in the foreground, requiring the user enter credit card information that matches information previously intercepted in SMS messages, such as the last 4 digits of a credit card number. If attempts to revoke administrator permissions are detected, [Rotexy](https://attack.mitre.org/software/S0411) periodically switches off the phone screen to inhibit permission removal.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--6f27a13d-b353-47f3-8a71-a13e8c4c3d60", "type": "relationship", "created": "2020-09-11T14:54:16.585Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "url": "https://blog.lookout.com/desert-scorpion-google-play", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." } ], "modified": "2021-04-19T17:11:50.418Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect attacker-specified files, including files located on external storage.(Citation: Lookout Desert Scorpion)\t", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--88e33687-e999-42c8-b46b-49d2adfa17d0", "created": "2022-04-01T15:02:04.528Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Apple regularly provides security updates for known OS vulnerabilities. ", "modified": "2022-04-01T15:02:04.528Z", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--de45db46-2251-4a29-b4d7-3fcf679e9484", "created": "2019-09-04T15:38:56.877Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "CyberMerchants-FlexiSpy", "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html" }, { "source_name": "FlexiSpy-Features", "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.", "url": "https://www.flexispy.com/en/features-overview.htm" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:32:16.401Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can intercept SMS and MMS messages as well as monitor messages for keywords.(Citation: CyberMerchants-FlexiSpy)(Citation: FlexiSpy-Features)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--a563fc97-a452-4348-a831-f4fb55c71e35", "created": "2023-03-03T16:22:45.712Z", "revoked": false, "external_references": [ { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-03T16:22:45.712Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has used fake Verisign and Symantec certificates to bypass malware detection systems. [YiSpecter](https://attack.mitre.org/software/S0311) has also signed malicious apps with iOS enterprise certificates to work on non-jailbroken iOS devices.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--5b04c8d0-c026-4838-9383-e4146de36d4d", "created": "2023-03-16T18:33:19.941Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-16T18:33:19.941Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--b0fe69e0-d08f-488d-b1cf-3f0dbb28accc", "created": "2023-02-28T20:37:01.639Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-31T22:13:55.642Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can use `locale.getLanguage()` to choose the language for notifications and avoid user detection.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--2bbd620d-6deb-4f81-a95b-98a7a74878e9", "created": "2023-03-20T18:51:07.547Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:51:07.547Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5482462c-08bc-4e28-bc20-bfbbc60f3f81", "created": "2022-04-05T20:03:46.789Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-05T20:03:46.789Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de", "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--9e95ef68-0650-49eb-888f-47c211481be9", "created": "2023-03-20T18:51:40.217Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:51:40.217Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--ece70dca-803c-4209-8792-7e56e9901288", "created": "2020-07-15T20:20:59.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:38:15.470Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can delete all data from an infected device.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--dfe6d454-1a24-4c42-97eb-4ddfd1dbb09b", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "source_name": "Kaspersky-Skygofree" } ], "modified": "2019-08-09T18:08:07.144Z", "description": "[Skygofree](https://attack.mitre.org/software/S0327) has the capability to exploit several known vulnerabilities and escalate privileges.(Citation: Kaspersky-Skygofree)", "relationship_type": "uses", "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--cde60121-3d7c-47c8-abeb-582854425599", "type": "relationship", "created": "2020-07-20T13:27:33.512Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." } ], "modified": "2020-08-10T21:57:54.531Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can update the running malware.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--e723d78f-b6c3-4ba5-8946-b44e651834e3", "created": "2023-03-16T13:32:02.290Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-16T13:32:02.290Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--13518e48-bb32-4ee3-9cd0-e5f367a2fb2d", "created": "2019-10-18T14:50:57.491Z", "x_mitre_version": "1.0", "x_mitre_deprecated": false, "revoked": false, "description": "Security updates often contain patches for vulnerabilities.", "modified": "2022-03-30T15:52:58.256Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a32db277-593f-4fd1-bdcb-9f677b1a05e1", "type": "relationship", "created": "2020-06-26T14:55:13.289Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason EventBot", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020." } ], "modified": "2020-06-26T14:55:13.289Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) can abuse Android’s accessibility service to capture data from installed applications.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--10c07066-df05-4dff-bb95-c76be02ea4ef", "created": "2020-09-14T14:13:45.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:30:00.975Z", "description": "[eSurv](https://attack.mitre.org/software/S0507) imposes geo-restrictions when delivering the second stage.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--8570b7ef-a84d-480e-b1ca-b15f15d12103", "created": "2019-09-23T13:36:08.341Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T16:58:27.974Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) can communicate with the command and control server using JSON payloads sent in HTTP POST request bodies. It can also communicate by using JSON messages sent through Google Cloud Messaging.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f2d05b16-3565-453e-9fbb-1c02146e17e1", "created": "2020-06-26T15:32:25.002Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Threat Fabric Cerberus", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Cerberus](https://attack.mitre.org/software/S0480) can record keystrokes.(Citation: Threat Fabric Cerberus)", "modified": "2022-04-15T17:33:17.868Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--fc22c1f0-6888-43c0-ac7e-ee3d21feafc4", "type": "relationship", "created": "2019-09-03T19:45:48.485Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." } ], "modified": "2019-09-11T13:25:19.117Z", "description": " [Exodus](https://attack.mitre.org/software/S0405) Two can obtain a list of installed applications.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--b7652f27-1cf6-4310-bf6b-5fb99c4fd725", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) has the ability to record audio.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--1b633efc-762f-47f9-96c3-d08ba92e0e3e", "created": "2022-04-01T17:05:56.046Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "On Android 11 and up, users are not prompted with the option to select “Allow all the time” and must navigate to the settings page to manually select this option. On iOS 14 and up, users can select whether to provide Precise Location for each installed application. ", "modified": "2022-04-01T17:05:56.046Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--faff9f9c-9064-4b3a-bdf9-bbeced2447a6", "created": "2020-09-11T16:22:03.266Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:33:34.466Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect SMS messages.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--7bf2e05e-496f-49d1-8a37-48cc3ff8d6cc", "created": "2020-04-08T15:41:19.400Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020.", "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:17:41.320Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can modify administrator settings and disable Play Protect.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--ca486783-9413-4f39-8d2f-3adcb3e79127", "type": "relationship", "created": "2020-12-24T21:55:56.657Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-24T21:55:56.657Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has used an AES encrypted file in the assets folder with an unsuspecting name (e.g. ‘GoogleMusic.png’) for holding configuration and C2 information.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--56758bb5-230e-43ac-9851-167c296c3dfa", "created": "2023-03-20T18:38:27.730Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:38:27.730Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--2621a020-8d4f-4ca4-b874-0be336a8cafd", "type": "relationship", "created": "2020-04-08T18:55:29.196Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020.", "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", "source_name": "Cofense Anubis" } ], "modified": "2020-04-09T16:45:38.751Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) exfiltrates data encrypted (with RC4) by its ransomware module.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7ef9f4cf-863b-4bc4-bdaf-55055263c030", "created": "2022-03-30T20:42:04.251Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Users should be advised to be extra scrutinous of applications that request location, and to deny any permissions requests for applications they do not recognize.", "modified": "2022-03-30T20:42:04.251Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--875dc21d-92c3-45bf-be37-faa44f4449bf", "created": "2020-06-02T14:32:31.891Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T19:51:44.262Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device’s contact list.(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--9814ecd5-911a-4776-9dc0-4a4ae0bf6a39", "type": "relationship", "created": "2020-04-08T15:41:19.364Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cofense Anubis", "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." } ], "modified": "2020-04-08T15:41:19.364Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can take screenshots.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--d3e52467-d090-4ebd-b9b1-3022cc6d5df0", "created": "2023-02-06T19:42:34.537Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-11T22:08:03.095Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can resist removal by going to the home screen during uninstall.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5a7295a2-ad95-4362-8b2c-9265ad5c73b0", "created": "2018-10-17T00:14:20.652Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Lookout-StealthMango", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uses commands received from text messages for C2.(Citation: Lookout-StealthMango)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--76cc66f4-ce85-4873-a63e-879b4a14a540", "created": "2023-03-03T16:23:20.764Z", "revoked": false, "external_references": [ { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-03T16:23:20.764Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has connected to the C2 server via HTTP.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--65acbbe2-48e1-4fba-a781-39fb040a711d", "type": "relationship", "created": "2019-09-03T19:45:48.505Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." } ], "modified": "2019-09-11T13:25:19.178Z", "description": " [Exodus](https://attack.mitre.org/software/S0405) One, after checking in, sends a POST request and then downloads [Exodus](https://attack.mitre.org/software/S0405) Two, the second stage binaries.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f95fec2e-f5cf-49c9-8e0b-1c6c5fd15d8f", "created": "2019-10-18T14:50:57.494Z", "x_mitre_version": "1.0", "x_mitre_deprecated": false, "revoked": false, "description": "Security updates often contain patches for vulnerabilities.", "modified": "2022-04-11T14:26:44.192Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--05243ccb-0aeb-4db4-bb03-51a65fb715ab", "created": "2020-09-11T14:54:16.589Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Lookout Desert Scorpion", "url": "https://blog.lookout.com/desert-scorpion-google-play", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can be controlled using SMS messages.(Citation: Lookout Desert Scorpion)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7b679dbf-4e31-4d0b-9e13-eb8c3b98b7fb", "created": "2019-08-09T16:19:02.782Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Android Capture Sensor 2019", "url": "https://developer.android.com/about/versions/pie/android-9.0-changes-all#bg-sensor-access", "description": "Android Developers. (, January). Android 9+ Privacy Changes . Retrieved August 27, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "Android 9 and above restricts access to microphone, camera, and other sensors from background applications.(Citation: Android Capture Sensor 2019) ", "modified": "2022-04-01T15:21:13.296Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--24a7379e-a994-411b-b17c-add6c6c6fc07", "type": "relationship", "created": "2020-12-24T21:45:56.949Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-24T21:45:56.949Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) has hidden malicious functionality in a second stage file and has encrypted C2 server information.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--92129d5b-7822-4e84-8a69-f96b598fba9e", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "modified": "2019-10-10T15:27:22.175Z", "description": "[Tangelo](https://attack.mitre.org/software/S0329) accesses databases from WhatsApp, Viber, Skype, and Line.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--d70aaf50-29b7-4687-98ea-ffaa3fa858c0", "type": "relationship", "created": "2020-12-24T21:55:56.692Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-24T21:55:56.692Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has searched for specific existing data directories, including the Gmail app, Dropbox app, Pictures, and thumbnails.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--078653a6-3613-4923-ae5a-1bccb8552e67", "type": "relationship", "created": "2020-09-11T16:22:03.250Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout ViperRAT", "url": "https://blog.lookout.com/viperrat-mobile-apt", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020." } ], "modified": "2020-09-11T16:22:03.250Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) has been installed in two stages and can secretly install new applications.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--8f72a070-cfcb-4d75-ace6-b4427f3ba8d3", "created": "2020-04-08T15:41:19.404Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020.", "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:18:13.761Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can steal the device’s contact list.(Citation: Cofense Anubis) ", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--0bb6f851-4302-4936-a98e-d23feecb234d", "type": "relationship", "created": "2020-06-02T14:32:31.777Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Volexity Insomnia", "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/", "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020." } ], "modified": "2020-06-02T14:32:31.777Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) exploits a WebKit vulnerability to achieve root access on the device.(Citation: Volexity Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--05563777-5771-4bd6-a1af-3e244cf42372", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Xiao-KeyRaider", "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "Most [KeyRaider](https://attack.mitre.org/software/S0288) samples search to find the Apple account's username, password and device's GUID in data being transferred.(Citation: Xiao-KeyRaider)", "relationship_type": "uses", "source_ref": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--3f392718-87c4-483b-b89f-4f0cc056d251", "type": "relationship", "created": "2020-07-20T13:58:53.610Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-XLoader-FakeSpy", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020." } ], "modified": "2020-09-24T15:12:24.302Z", "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) can obtain the device’s UDID, version number, and product number.(Citation: TrendMicro-XLoader-FakeSpy)", "relationship_type": "uses", "source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--8611661c-04b4-4a82-9669-2d0e26b7b3f3", "created": "2020-07-15T20:20:59.287Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:53:17.865Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can disable Play Protect.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--0f70bdf1-a6a7-406c-a4c0-cee509ff8369", "created": "2023-02-02T17:46:27.077Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T18:43:17.131Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can exfiltrate captured user credentials and event logs back to the C2 server. (Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--8c9dbc53-27d2-420c-b698-98c23a7ead2b", "created": "2020-09-11T14:54:16.638Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:36:55.810Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can delete copies of itself if additional APKs are downloaded to external storage.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--fa5f3aea-2131-4690-8833-dc428fae2b22", "created": "2023-01-18T21:38:34.350Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T18:57:53.504Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can intercept notifications to send to the C2 server and take advantage of the Direct Reply feature.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--d64c4924-76f0-4b2e-858d-b0df733334d0", "created": "2023-02-06T19:03:11.265Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T17:23:09.430Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can modify system settings to give itself device administrator privileges.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--7b1477bc-8fd0-45ce-8eaa-b3b307f18024", "created": "2022-04-15T18:11:06.097Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Skycure-Profiles", "description": "Yair Amit. (2013, March 12). Malicious Profiles - The Sleeping Giant of iOS Security. Retrieved December 22, 2016.", "url": "https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:28:11.000Z", "description": "Most [KeyRaider](https://attack.mitre.org/software/S0288) samples hook SSLRead and SSLWrite functions in the itunesstored process to intercept device communication with the Apple App Store.(Citation: Skycure-Profiles)", "relationship_type": "uses", "source_ref": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--27247071-356b-4b5f-bc8f-6436a3fec095", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[PJApps](https://attack.mitre.org/software/S0291) has the capability to collect and leak the victim's location.(Citation: Lookout-EnterpriseApps)", "relationship_type": "uses", "source_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--ed48a86f-e55f-4abf-8f18-98591b756399", "created": "2023-03-03T16:19:30.443Z", "revoked": false, "external_references": [ { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-03T16:19:30.443Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has hidden the app icon from iOS springboard.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--2c9ad579-0c29-4f2a-80f3-242dc6b0bafd", "type": "relationship", "created": "2020-09-11T14:54:16.644Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "url": "https://blog.lookout.com/desert-scorpion-google-play", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." } ], "modified": "2020-09-11T14:54:16.644Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can list files stored on external storage.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--b1e5bd2f-01e4-402d-a9b6-255110510a83", "type": "relationship", "created": "2020-12-24T21:45:56.986Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-24T21:45:56.986Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) can install new applications which are obtained from the C2 server.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--a8079e6a-ef87-4e3b-9f71-cf1ea2360892", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "NYTimes-BackDoor", "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.", "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T19:53:24.312Z", "description": "[Adups](https://attack.mitre.org/software/S0309) transmitted contact lists.(Citation: NYTimes-BackDoor)", "relationship_type": "uses", "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--1c42ee3a-c400-4de6-84aa-b254422af7b9", "created": "2018-10-17T00:14:20.652Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "CheckPoint-Judy", "url": "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/", "description": "CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Judy](https://attack.mitre.org/software/S0325) uses infected devices to generate fraudulent clicks on advertisements to generate revenue.(Citation: CheckPoint-Judy)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--172444ab-97fc-4d94-b142-179452bfb760", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--0bcdeb29-6eed-4c96-a9ae-e56aadc4a5db", "type": "relationship", "created": "2019-08-09T17:59:48.988Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "source_name": "Lookout-StealthMango" } ], "modified": "2019-08-09T17:59:48.988Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) can record and take pictures using the front and back cameras.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--5ced57a7-b674-40d4-98b8-a090963a6ade", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "source_name": "PaloAlto-SpyDealer" } ], "modified": "2019-09-18T13:45:58.872Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) abuses Accessibility features to steal messages from popular apps such as WeChat, Skype, Viber, and QQ.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--b43f4cef-138e-4b5d-8e68-e8eeae3591be", "created": "2021-02-17T20:43:52.337Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:30:32.294Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has read SMS messages for exfiltration.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--da4296d7-5fdb-45b6-9791-b023d634c08d", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "source_name": "TrendMicro-RCSAndroid" } ], "modified": "2019-08-09T17:53:48.760Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can record location.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--cc81b56c-cf73-4307-b950-e80246985195", "created": "2019-10-18T14:50:57.473Z", "x_mitre_version": "1.0", "x_mitre_deprecated": false, "revoked": false, "description": "OS security updates typically contain exploit patches when disclosed.", "modified": "2022-03-28T19:20:44.337Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--d63f27cf-95a3-42bb-86dd-dc18e22cb898", "created": "2019-09-04T14:28:16.414Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:41:16.423Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve call history.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--36268322-9f5e-4749-8760-6430178a3d68", "created": "2020-06-26T14:55:13.311Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:25:08.956Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) can intercept SMS messages.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--35927c96-7645-4ef3-b3da-e44822386a10", "created": "2023-01-18T21:43:10.838Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T18:47:19.403Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) contains domain generation algorithms to use as backups in case the hardcoded C2 domains are unavailable.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d1318f71-7f70-4820-a3fc-0d05af038733", "created": "2021-10-01T14:42:49.154Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "SecureList BusyGasper", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can perform actions when one of two hardcoded magic SMS strings is received.(Citation: SecureList BusyGasper)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--5977289e-d38f-4974-912b-2151fc00c850", "type": "relationship", "created": "2020-11-20T16:37:28.524Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec GoldenCup", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020." } ], "modified": "2020-11-20T16:37:28.524Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect the device’s phone number and IMSI.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--afe9e326-01f7-4296-a11b-09cfffd80120", "type": "relationship", "created": "2020-07-27T14:14:56.962Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Security Zen", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020." } ], "modified": "2020-08-10T22:18:20.747Z", "description": "[Zen](https://attack.mitre.org/software/S0494) can simulate user clicks on ads and system prompts to create new Google accounts.(Citation: Google Security Zen)", "relationship_type": "uses", "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--c6241ba3-e0f9-48a7-9ed7-a5544a090081", "type": "relationship", "created": "2019-09-04T14:28:16.000Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", "source_name": "Lookout-Monokle" } ], "modified": "2019-09-04T14:32:12.856Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can track the device's location.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--0f7e7c29-43f0-4aff-ae83-dfff331915ef", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler-SpyNote", "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" } ], "modified": "2019-10-10T15:24:09.248Z", "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) collects the device's location.(Citation: Zscaler-SpyNote)", "relationship_type": "uses", "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--98ae9cb2-1141-48c6-81fd-f16adb430031", "created": "2023-01-18T19:17:07.565Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T18:07:52.850Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can request the `READ_EXTERNAL_STORAGE` and `WRITE_EXTERNAL_STORAGE` Android permissions.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--22f5308c-77ee-4198-be1c-54062aa6a613", "created": "2020-12-31T18:25:05.160Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:00:13.616Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has used HTTPS for C2 communication.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--74c3c88c-956b-4bc7-9ea2-585e7366fe69", "created": "2020-04-08T15:51:25.078Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "ThreatFabric Ginp", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Ginp](https://attack.mitre.org/software/S0423) can use a multi-step phishing overlay to capture banking credentials and then credit card numbers after login.(Citation: ThreatFabric Ginp)", "modified": "2022-04-12T10:01:44.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--ffc82546-f4da-4f47-88ec-b215edb1d695", "type": "relationship", "created": "2021-02-08T16:36:20.799Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "BlackBerry Bahamut", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021." } ], "modified": "2021-05-24T13:16:56.589Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included malware functionality capable of downloading new DEX files at runtime during Operation BULL.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--e34c8c23-be8f-4da9-b051-5246e5f16ba8", "created": "2023-03-01T22:18:19.004Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-31T22:14:48.174Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can send contact lists to its C2 server.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ddfc5d8c-750d-424a-88d9-acc99bc5f69e", "created": "2022-03-30T19:29:07.379Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge.", "modified": "2022-03-30T19:29:07.379Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--55afe9a0-d261-48ea-b5a8-0b1685ff2f15", "type": "relationship", "created": "2020-04-24T15:06:33.319Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." } ], "modified": "2020-04-24T15:06:33.319Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect voice notes, device accounts, and gallery images.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--c4e73a6c-d523-4f3c-bcb6-200f63867fb4", "type": "relationship", "created": "2020-09-11T15:57:37.770Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020." } ], "modified": "2020-09-11T15:57:37.770Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can delete SMS messages.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--c9c22e0d-c427-42ef-ae76-beb8ae9f6bf2", "created": "2020-09-15T15:18:12.460Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T19:58:31.945Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect the device’s network information.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--ca4eb452-4a2f-41d7-a015-81f43e96737e", "type": "relationship", "created": "2019-09-23T13:36:08.386Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", "source_name": "securelist rotexy 2018" } ], "modified": "2019-09-23T13:36:08.386Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) collects the device's IMEI and sends it to the command and control server.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d09a4d42-45bd-4b2a-aef4-3aa3982115ad", "created": "2022-04-05T19:45:03.117Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-05T19:45:03.117Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--abf3b5c8-9ee5-42ff-ba94-2b3a15317783", "created": "2023-03-20T18:55:51.580Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:55:51.580Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--22f3d28b-ba0c-4aa3-99b4-60790ba9c7b6", "type": "relationship", "created": "2021-01-05T20:16:20.484Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." } ], "modified": "2021-01-05T20:16:20.484Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can track the device’s location.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--4761145d-34ac-4b45-a0d6-a09b1907a196", "type": "relationship", "created": "2020-12-18T20:14:47.367Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." } ], "modified": "2020-12-18T20:14:47.367Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) can inject clicks to launch applications, share posts on social media, and interact with WebViews to perform fraudulent actions.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--e4019493-bd52-4011-9355-8902be6ff3f3", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:49:19.083Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) registers the broadcast receiver to listen for events related to device boot-up.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--70367e5c-15e0-4bcd-b538-7a90c4eefd30", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:26:35.443Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) maintains persistence by installing an Android application package (APK) on the system partition.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--d1e11627-23e4-40f3-bcbc-2b832b0bbaa3", "created": "2023-02-28T20:31:31.983Z", "revoked": false, "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-02-28T20:31:31.983Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can intercept SMS messages and USSD messages from Telcom operators.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--f4e4c3ae-4c4d-4eba-8330-022464cbf828", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:33:12.082Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests SMS and MMS messages from victims.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--95bf4e8b-f388-48a0-b236-c2077252e71e", "type": "relationship", "created": "2019-09-03T20:08:00.757Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", "source_name": "Talos Gustuff Apr 2019" } ], "modified": "2019-09-15T15:35:33.380Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) gathers the device IMEI to send to the command and control server.(Citation: Talos Gustuff Apr 2019)", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--5a96d87e-f70e-49dc-a272-c98aad672ce0", "type": "relationship", "created": "2019-09-15T15:32:17.563Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2020-07-09T14:07:02.315Z", "description": "Application developers could be encouraged to avoid placing sensitive data in notification text.", "relationship_type": "mitigates", "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--c374c9ce-ff30-4daa-bdec-8015a507746a", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "source_name": "Kaspersky-Skygofree" } ], "modified": "2019-08-09T18:08:07.145Z", "description": "[Skygofree](https://attack.mitre.org/software/S0327) has a capability to obtain files from other installed applications.(Citation: Kaspersky-Skygofree)", "relationship_type": "uses", "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7db33293-6971-4c0d-88e0-18f505ebd943", "created": "2022-04-05T20:11:51.188Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Recent OS versions have made it more difficult for applications to register as VPN providers. ", "modified": "2022-04-05T20:11:51.188Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--3be6ad82-722d-4699-8e3a-c1ea60018244", "created": "2023-03-16T13:32:55.140Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-16T13:32:55.140Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--ca0d9894-0c37-4a34-9b24-1887b7cd1106", "created": "2023-03-15T16:26:38.465Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-15T16:26:38.465Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--b309c25a-6baf-4874-829d-63712a38652c", "created": "2023-02-06T19:02:16.194Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T17:21:41.461Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can grant itself camera permissions.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--0cae6859-d7d1-483b-b473-4f32084938a9", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "modified": "2019-08-09T17:52:31.818Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) has the ability to record device audio.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--27f5dc22-6ab9-406f-9092-6cb610d777a6", "created": "2022-04-01T14:59:53.782Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Device attestation can often detect jailbroken devices.", "modified": "2022-04-01T14:59:53.782Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--280aa15d-c7ff-4005-9861-9fc5c3bfe95a", "created": "2020-12-28T18:47:52.357Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:22:26.702Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can run commands as root.(Citation: Palo Alto HenBox) ", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--6a821e14-8247-408b-af37-9cecbba616ec", "type": "relationship", "created": "2020-05-07T15:33:32.945Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint Agent Smith", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020." } ], "modified": "2020-05-07T15:33:32.945Z", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) obtains the device’s application list.(Citation: CheckPoint Agent Smith)", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-BrainTest", "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "Some original variants of [BrainTest](https://attack.mitre.org/software/S0293) had the capability to automatically root some devices, but that behavior was not observed in later samples.(Citation: Lookout-BrainTest)", "relationship_type": "uses", "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5a18e6c3-4bbf-4418-8815-55ebf283c8a1", "created": "2020-10-29T17:48:27.272Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Threat Fabric Exobot", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Exobot](https://attack.mitre.org/software/S0522) can obtain a list of installed applications and can detect if an antivirus application is running, and close it if it is.(Citation: Threat Fabric Exobot)", "modified": "2022-04-15T16:53:00.735Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--6ca3e3d9-2db9-4bed-98a0-417ff1e6a78e", "type": "relationship", "created": "2021-02-08T16:36:20.692Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "BlackBerry Bahamut", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021." } ], "modified": "2021-05-24T13:16:56.443Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included system information enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--66132260-65d1-4bf5-8200-abdb2014be6f", "created": "2020-09-15T15:18:12.465Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:51:12.881Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can detect if it is running in an emulator and adjust its behavior accordingly.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--04eeed4b-e0fc-4fff-8c61-4c175f26a0fe", "type": "relationship", "created": "2019-12-10T16:07:41.093Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList DVMap June 2017", "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/", "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019." } ], "modified": "2019-12-10T16:07:41.093Z", "description": "[Dvmap](https://attack.mitre.org/software/S0420) can download code and binaries from the C2 server to execute on the device as root.(Citation: SecureList DVMap June 2017)", "relationship_type": "uses", "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--44da429b-9dee-43c9-9397-445c6f9e647e", "created": "2022-03-30T19:54:59.651Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Android includes system partition integrity mechanisms that could detect unauthorized modifications. ", "modified": "2022-03-30T19:54:59.651Z", "relationship_type": "mitigates", "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--73d78f2c-dd3b-469c-a622-e2e89cb521d3", "created": "2018-10-17T00:14:20.652Z", "x_mitre_version": "1.0", "x_mitre_deprecated": false, "revoked": false, "description": "Enterprises can provision policies to mobile devices that require a minimum complexity (length, character requirements, etc.) for the device passcode, and cause the device to wipe all data if an incorrect passcode is entered too many times. Both policies would mitigate brute-force, guessing, or shoulder surfing of the device passcode. Enterprises can also provision policies to disable biometric authentication, however, biometric authentication can help make using a longer, more complex passcode more practical because it does not need to be entered as frequently. ", "modified": "2022-03-28T19:20:30.375Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--cacc0b72-9d73-4381-90e9-545ba908722c", "type": "relationship", "created": "2019-09-15T15:35:33.215Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", "source_name": "Talos Gustuff Apr 2019" } ], "modified": "2019-09-15T15:35:33.215Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) injects the global action `GLOBAL_ACTION_BACK` to mimic pressing the back button to close the application if a call to an open antivirus application is detected.(Citation: Talos Gustuff Apr 2019)", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c43341e3-6fb9-46f1-8ea3-8daede1a4c77", "created": "2022-04-06T15:52:41.579Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-06T15:52:41.579Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--64ddcf35-dbf0-4b9f-bf07-1e0bde8bbe65", "type": "relationship", "created": "2021-04-19T17:05:42.574Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2021-04-19T17:05:42.574Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has collected files from the infected device.(Citation: Lookout Uyghur Campaign)\t", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--d700c625-d0b6-4570-a538-0ba57bd7bda5", "created": "2023-03-20T18:50:21.296Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:50:21.296Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--e75c623a-f9ac-4f46-b093-dd0e40b50cc6", "created": "2018-10-17T00:14:20.652Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Proofpoint-Marcher", "url": "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks", "description": "Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Marcher](https://attack.mitre.org/software/S0317) attempts to overlay itself on top of legitimate banking apps in an effort to capture user credentials. [Marcher](https://attack.mitre.org/software/S0317) also attempts to overlay itself on top of legitimate apps such as the Google Play Store in an effort to capture user credit card information.(Citation: Proofpoint-Marcher)", "modified": "2022-04-12T10:01:44.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--f9854ba6-989d-43bf-828b-7240b8a65291", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4d431474-1dcc-4d0e-9906-129eb02f00b3", "created": "2023-02-06T19:43:43.574Z", "revoked": false, "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-02-06T19:43:43.574Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can uninstall itself.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a3c4b392-2879-4f31-9431-3398e034851b", "created": "2022-04-06T13:52:37.470Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Users should be cautioned against granting administrative access to applications.", "modified": "2022-04-06T13:52:37.470Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--818b8c2b-bd23-4a83-9970-d42063608699", "created": "2020-04-24T15:06:33.393Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T19:49:04.950Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect device contacts.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--bce64ec2-43d5-4501-a0aa-0abe65551a19", "type": "relationship", "created": "2021-02-17T20:43:52.381Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout FrozenCell", "url": "https://blog.lookout.com/frozencell-mobile-threat", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020." } ], "modified": "2021-02-17T20:43:52.381Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has retrieved account information for other applications.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a8ac5084-5631-4670-8ac6-6fbe7bdb0a84", "type": "relationship", "created": "2019-07-10T15:35:43.708Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "source_name": "Lookout Dark Caracal Jan 2018" } ], "modified": "2019-08-09T18:06:11.797Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) tracks the latitude and longitude coordinates of the infected device.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--718a612e-50c5-40ab-9081-b88cefeafcb6", "created": "2021-04-26T15:33:55.905Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "CitizenLab Circles", "url": "https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/", "description": "Bill Marczak, John Scott-Railton, Siddharth Prakash Rao, Siena Anstis, and Ron Deibert. (2020, December 1). Running in Circles Uncovering the Clients of Cyberespionage Firm Circles. Retrieved December 23, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Circles](https://attack.mitre.org/software/S0602) can track the location of mobile devices.(Citation: CitizenLab Circles)", "modified": "2022-04-12T10:01:44.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24", "target_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--d76d838b-bbc7-459a-884a-2da8c36a2ba2", "created": "2022-04-08T16:29:55.322Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-08T16:29:55.322Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6", "target_ref": "attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--82555171-8b78-40f3-84d9-058359ae808a", "type": "relationship", "created": "2020-09-24T15:34:51.244Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" } ], "modified": "2020-09-24T15:34:51.244Z", "description": "[Dendroid](https://attack.mitre.org/software/S0301) can send and block SMS messages.(Citation: Lookout-Dendroid)", "relationship_type": "uses", "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--b641e5b8-5981-452a-99f0-3598c783e5ee", "created": "2019-08-07T15:57:13.443Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Kaspersky Riltok June 2019", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", "url": "https://securelist.com/mobile-banker-riltok/91374/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:30:47.506Z", "description": "[Riltok](https://attack.mitre.org/software/S0403) can intercept incoming SMS messages.(Citation: Kaspersky Riltok June 2019)", "relationship_type": "uses", "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--8d72c224-0cf5-4b9b-a98a-76ee3a406803", "created": "2023-02-06T19:05:00.862Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T17:20:37.796Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can obtain a list of installed applications.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--a46c3b05-07d5-461c-b1b1-4a81912b79f8", "created": "2023-02-06T18:59:15.881Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T17:21:10.915Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can collect device information such as manufacturer, model, version, serial number, and telephone number.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--69718f1d-7761-41ae-b9d0-12c45f6b4ac4", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:33:51.882Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) modifies the system partition to maintain persistence.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--b7c8abf7-d4e4-40a4-aa2a-ee995a6f4f10", "created": "2023-03-03T15:36:15.840Z", "revoked": false, "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-03T15:36:15.840Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can access device call logs.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--2e08820f-a81d-480e-9e60-f14db3e49080", "type": "relationship", "created": "2019-09-04T14:28:15.909Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", "source_name": "Lookout-Monokle" } ], "modified": "2019-09-04T14:32:12.568Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can take photos and videos.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--cce5d90f-edff-454d-bafa-caf33b71ed6c", "type": "relationship", "created": "2019-12-10T16:07:41.078Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList DVMap June 2017", "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/", "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019." } ], "modified": "2019-12-10T16:07:41.078Z", "description": "[Dvmap](https://attack.mitre.org/software/S0420) attempts to gain root access by using local exploits.(Citation: SecureList DVMap June 2017)", "relationship_type": "uses", "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--0993769f-63fb-4720-bbcf-e6f37f71515e", "type": "relationship", "created": "2020-06-02T14:32:31.875Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Google Project Zero Insomnia", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020." } ], "modified": "2020-06-02T14:32:31.875Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device’s name, serial number, iOS version, total disk space, and free disk space.(Citation: Google Project Zero Insomnia) ", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--d3e6bc20-1f9c-41b6-89f0-ef95689add86", "created": "2023-03-20T15:16:43.275Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T15:16:43.275Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a04dfb58-b7d3-4abe-9f4a-fad4f7158965", "type": "relationship", "created": "2020-04-08T15:51:25.106Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ThreatFabric Ginp", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020." } ], "modified": "2020-04-08T15:51:25.106Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) can obtain a list of installed applications.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--20376a7f-897a-4f5d-a87a-93e64200a5a6", "type": "relationship", "created": "2020-07-20T13:27:33.553Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." } ], "modified": "2020-08-10T21:57:54.518Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) sends the device’s IMEI with each exfiltration request.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--ede5c314-5988-4151-bb30-b6a6983d02c0", "created": "2020-12-31T18:25:05.164Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "CYBERWARCON CHEMISTGAMES", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has been distributed as updates to legitimate applications. This was accomplished by compromising legitimate app developers, and subsequently gaining access to their Google Play Store developer account.(Citation: CYBERWARCON CHEMISTGAMES)", "modified": "2022-04-15T15:16:53.317Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--1822e616-ae33-487c-8aa6-4fa81e724184", "created": "2021-02-08T16:36:20.785Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:06:22.576Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included contact list exfiltration in the malicious apps deployed as part of Operation BULL.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--f390ee16-a7c8-4ef2-b6f4-28940a8f0d81", "created": "2023-03-20T15:45:44.000Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T15:45:44.000Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--9dec6b2f-790a-4da9-86c9-1f4b7141c32c", "type": "relationship", "created": "2019-09-04T15:38:56.562Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf", "source_name": "FortiGuard-FlexiSpy" } ], "modified": "2019-10-14T18:08:28.500Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can communicate with the command and control server over ports 12512 and 12514.(Citation: FortiGuard-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--d9aab2e1-31e0-45b2-a40b-0cbe60677b4b", "created": "2020-11-24T18:18:33.772Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:24:43.120Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can request device administrator permissions.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--4de3f794-63df-4f9e-8bd8-59796d91aa36", "created": "2020-05-07T15:33:32.895Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "CheckPoint Agent Smith", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Agent Smith](https://attack.mitre.org/software/S0440) shows fraudulent ads to generate revenue.(Citation: CheckPoint Agent Smith)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--22041a01-75e7-4ff6-8768-ad45188c53c7", "created": "2023-02-28T21:45:25.064Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-01T22:03:00.755Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can obtain a list of installed applications.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--42ae42eb-ea75-457a-bf39-4ea04304dd0b", "created": "2017-12-14T16:46:06.044Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Gooligan Citation", "url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/", "description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Gooligan](https://attack.mitre.org/software/S0290) can install adware to generate revenue.(Citation: Gooligan Citation)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--0bc73d69-e769-4d0f-9d44-368c94225b6e", "created": "2020-07-15T20:20:59.200Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:50:39.124Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can access the device’s contact list.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--0e9968b7-ad1e-440d-9fe3-2599a1571f39", "created": "2020-06-26T14:55:13.387Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T19:59:55.854Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) communicates with the C2 using HTTP requests.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--545d9313-3fcc-4d4a-b9d2-7555430df8f2", "created": "2019-09-04T14:28:15.482Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:28:58.447Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can reset the user's password/PIN.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--3dd0cd4d-bcde-4105-b98e-b32add191083", "created": "2020-01-27T17:05:58.331Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:39:39.589Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) exfiltrates data using HTTP POST requests.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--25cdb4f2-5b38-411c-bfb6-eca7ea4d4527", "created": "2019-09-04T14:28:16.335Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T19:57:56.616Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve nearby cell tower and Wi-Fi network information.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--e9607e4f-5743-4bbb-b7d4-5554d66c8be7", "type": "relationship", "created": "2019-08-07T15:57:13.388Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky Riltok June 2019", "url": "https://securelist.com/mobile-banker-riltok/91374/", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019." } ], "modified": "2019-09-18T13:44:13.453Z", "description": "[Riltok](https://attack.mitre.org/software/S0403) injects input to set itself as the default SMS handler by clicking the appropriate places on the screen. It can also close or minimize targeted antivirus applications and the device security settings screen.(Citation: Kaspersky Riltok June 2019)", "relationship_type": "uses", "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--44304163-9a44-4760-bd04-0e14adb33299", "created": "2022-04-01T15:13:40.779Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "Trend Micro iOS URL Hijacking", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/", "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.(Citation: Trend Micro iOS URL Hijacking) Android 6 introduced App Links.", "modified": "2022-04-01T15:13:40.779Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--0b693e45-cc20-45a9-846f-2f5f4d3a3253", "type": "relationship", "created": "2020-12-31T18:25:05.178Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CYBERWARCON CHEMISTGAMES", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020." } ], "modified": "2020-12-31T18:25:05.178Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has fingerprinted devices to uniquely identify them.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--df337ad4-c88e-425f-b869-ecac29674bf4", "type": "relationship", "created": "2021-03-25T16:39:40.200Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CYBERWARCON CHEMISTGAMES", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020." } ], "modified": "2021-03-25T16:39:40.200Z", "description": "(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--9e3921a8-a9e1-48c4-9b61-ff190c104f63", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "source_name": "TrendMicro-RCSAndroid" } ], "modified": "2019-08-09T17:53:48.793Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can monitor clipboard content.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--07fd2c39-c3e2-4044-b00b-71250cd7df2e", "created": "2022-03-30T18:15:03.625Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-30T18:15:03.625Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4c6f1475-3b92-4a37-8bb5-4dcc69660b11", "created": "2022-09-29T20:08:54.389Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Cylance Dust Storm", "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2022-09-30T18:38:37.195Z", "description": "During [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors used Android backdoors capable of exfiltrating specific files directly from the infected devices.(Citation: Cylance Dust Storm)", "relationship_type": "uses", "source_ref": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--b49ecb71-92b3-4813-be4d-9f8c2aa67ccd", "created": "2021-02-08T16:36:20.707Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:05:01.189Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has installed malicious MDM profiles on iOS devices as part of Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--a7b276ac-6f07-4d1f-8d24-dc5682acf62d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:13:36.481Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses calendar entries.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c5cb9fb4-2593-412f-82f8-a04a125bd429", "created": "2022-04-01T18:51:28.859Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Security updates frequently contain patches to vulnerabilities that can be exploited for root access.", "modified": "2022-04-01T18:51:28.859Z", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--3498d304-48e3-4fe4-a3ab-fc261104f413", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "source_name": "Lookout-StealthMango" } ], "modified": "2019-08-09T17:59:49.094Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) can record audio using the device microphone.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--8d027310-93a0-4046-b7ad-d1f461f30838", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "source_name": "TrendMicro-RCSAndroid" } ], "modified": "2019-08-09T17:53:48.783Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) has the ability to dynamically download and execute new code at runtime.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--bf901bab-3caa-4d05-a859-d9fb4d838304", "type": "relationship", "created": "2019-10-10T15:27:22.091Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "source_name": "Lookout-StealthMango" } ], "modified": "2019-10-10T15:27:22.091Z", "description": "[Tangelo](https://attack.mitre.org/software/S0329) accesses browser history, pictures, and videos.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--5dd9e0aa-e4dc-4776-9580-5a765c2cc08d", "created": "2023-02-06T18:52:40.543Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T17:14:41.449Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can intercept SMS messages containing two factor authentication codes.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--721cc30c-74cf-4eed-89a8-7a8e63e6c0e1", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Tripwire-MazarBOT", "description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.", "url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:27:47.788Z", "description": "[MazarBOT](https://attack.mitre.org/software/S0303) can intercept two-factor authentication codes sent by online banking apps.(Citation: Tripwire-MazarBOT)", "relationship_type": "uses", "source_ref": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--a93ee044-bd5d-48f3-972e-0abab780c35c", "created": "2023-02-08T20:05:06.786Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-29T21:21:22.070Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) can steal information via malicious JavaScript.(Citation: trendmicro_tianyspy_0122)", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--b53d1c92-b71f-434e-aa4f-08b8db765248", "type": "relationship", "created": "2019-07-10T15:25:57.604Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "modified": "2019-08-12T17:30:07.572Z", "description": "[FinFisher](https://attack.mitre.org/software/S0182) tracks the latitude and longitude coordinates of the infected device.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--c78a3e66-b7aa-4feb-bc18-b8af77f27a47", "created": "2023-03-20T15:20:11.652Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T15:20:11.652Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--4454a696-7619-40ee-971b-cbf646e4ee61", "created": "2017-12-14T16:46:06.044Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Lookout-EnterpriseApps", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[PJApps](https://attack.mitre.org/software/S0291) has the capability to send messages to premium SMS messages.(Citation: Lookout-EnterpriseApps)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--e29d91f0-ebee-481d-9344-702c90775109", "type": "relationship", "created": "2020-05-07T15:33:32.928Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint Agent Smith", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020." } ], "modified": "2020-05-07T15:33:32.928Z", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) can inject fraudulent ad modules into existing applications on a device.(Citation: CheckPoint Agent Smith)", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7fcfc36b-bebc-481f-b9af-b65008b045ec", "created": "2018-10-17T00:14:20.652Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "BankInfoSecurity-BackDoor", "url": "http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534", "description": "Jeremy Kirk. (2016, November 16). Why Did Chinese Spyware Linger in U.S. Phones?. Retrieved February 6, 2017." }, { "source_name": "NYTimes-BackDoor", "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html", "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Adups](https://attack.mitre.org/software/S0309) was pre-installed on Android devices from some vendors.(Citation: NYTimes-BackDoor)(Citation: BankInfoSecurity-BackDoor)", "modified": "2022-04-19T15:46:20.166Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5b235ed4-548d-49f2-ae01-1874666e6747", "created": "2022-03-30T19:51:56.543Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-30T19:51:56.543Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--dc7ef843-a073-4e23-b717-c505d4863b02", "created": "2023-03-20T18:53:58.856Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:53:58.856Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--cbf17fea-141e-44b8-831c-b3cc41066420", "type": "relationship", "created": "2021-01-20T16:01:19.409Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Trend Micro Anubis", "url": "https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html", "description": "K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021." } ], "modified": "2021-01-20T16:01:19.409Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can download attacker-specified APK files.(Citation: Trend Micro Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--1cca5e17-80ae-4b6e-8919-2768153aa966", "created": "2017-12-14T16:46:06.044Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "PaloAlto-Xbot", "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/", "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Xbot](https://attack.mitre.org/software/S0298) uses phishing pages mimicking Google Play's payment interface as well as bank login pages.(Citation: PaloAlto-Xbot)", "modified": "2022-04-12T10:01:44.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--16955c8e-65ab-4c9a-a8b1-bec4d5a45f8d", "type": "relationship", "created": "2021-10-01T14:42:48.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecureList BusyGasper", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." } ], "modified": "2021-10-12T13:51:41.045Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect images stored on the device and browser history.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--2e2d1ffa-f6df-4d3c-b99b-f7b8baff53e8", "type": "relationship", "created": "2019-09-04T15:38:56.994Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "FlexiSpy-Features", "url": "https://www.flexispy.com/en/features-overview.htm", "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019." } ], "modified": "2019-09-10T14:59:26.171Z", "description": " [FlexiSpy](https://attack.mitre.org/software/S0408) can take screenshots of other applications.(Citation: FlexiSpy-Features) ", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--03ff6271-d7bc-40f3-b83d-25c541333694", "type": "relationship", "created": "2019-11-19T17:32:20.701Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2019-12-26T16:14:33.468Z", "description": "If a user sees a persistent notification they do not recognize, they should uninstall the source application and look for other unwanted applications or anomalies.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--52649ab6-8d1c-41d0-9804-3fd4b6a1ba48", "created": "2023-03-16T18:37:55.715Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-16T18:37:55.715Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--290c9d3f-f59b-4e2b-9b7b-115014845c15", "type": "relationship", "created": "2021-09-24T14:47:34.447Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2021-10-04T20:08:48.439Z", "description": "Device attestation can often detect rooted devices.", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--476e269e-3c49-4fda-a54b-3f0cb577c5af", "created": "2020-12-14T14:52:03.322Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:52:58.974Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can collect the device’s contact list.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--6de29595-e63e-4d7e-992f-b4622b7b8e23", "type": "relationship", "created": "2020-09-11T14:54:16.566Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "url": "https://blog.lookout.com/desert-scorpion-google-play", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." } ], "modified": "2020-09-11T14:54:16.566Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect device metadata and can check if the device is rooted.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--fb2a14c1-bed9-4c3f-a60b-8df384c18b68", "type": "relationship", "created": "2020-12-24T21:45:56.979Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2021-04-19T14:29:46.650Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) can retrieve files from external storage and can collect browser data.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--ba02a1dc-d5b9-41cb-9adf-883119e1aa51", "created": "2020-12-14T14:52:03.359Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:12:27.624Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has communicated with the C2 using HTTP.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--e0121f6c-0312-4fff-9d6c-0a8aea945bea", "created": "2023-02-06T19:45:58.793Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-11T22:08:45.192Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can use the open-source project RetroFit for C2 communication.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--8a255d63-a770-4b9d-911c-bd906733ceef", "created": "2023-01-18T19:24:36.689Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T18:05:42.846Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) has C2 commands that can move the malware in and out of the foreground. (Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--67db22d4-6f89-40c6-b31b-737c1e3dec3f", "created": "2021-01-20T16:01:19.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Trend Micro Anubis", "description": "K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021.", "url": "https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:17:07.374Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) has used motion sensor data to attempt to determine if it is running in an emulator.(Citation: Trend Micro Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--0efe4125-504f-4eea-b19f-a44c81ee31dd", "created": "2021-01-05T20:16:20.488Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Zscaler TikTok Spyware", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can launch a fake Facebook login page.(Citation: Zscaler TikTok Spyware)", "modified": "2022-04-12T10:01:44.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--e78b2cd9-ef73-45d9-9477-e2e95454e208", "type": "relationship", "created": "2020-07-20T13:27:33.546Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." } ], "modified": "2020-08-10T21:57:54.537Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can receive system notifications.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--8f52e1ab-284e-4d0c-bae1-3a8544a22f57", "created": "2020-11-24T17:55:12.826Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:22:41.797Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can wipe the device.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--9b56528f-cf04-4d81-80ee-7bacb862383a", "created": "2023-03-20T18:57:33.693Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:57:33.693Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--3ca284e7-062c-4f23-b95d-9f9c6a2d882a", "created": "2019-07-16T14:33:12.175Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Kaspersky Triada March 2016", "description": "Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.", "url": "https://www.kaspersky.com/blog/triada-trojan/11481/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:25:35.330Z", "description": "[Triada](https://attack.mitre.org/software/S0424) variants capture transaction data from SMS-based in-app purchases.(Citation: Kaspersky Triada March 2016) ", "relationship_type": "uses", "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--1f7b7de2-10e8-4eec-9c8f-db44ac3f271b", "created": "2020-04-08T15:51:25.128Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:29:36.827Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) can collect SMS messages.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--833b4c44-7370-4b27-b9b2-a058c27dcf8c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "PaloAlto-Xbot", "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:28:32.568Z", "description": "[Xbot](https://attack.mitre.org/software/S0298) steals all SMS message and contact information as well as intercepts and parses certain SMS messages.(Citation: PaloAlto-Xbot)", "relationship_type": "uses", "source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--44a673c9-7ce7-42a0-8ab4-60bbb5001ce2", "created": "2023-03-20T18:53:15.929Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:53:15.929Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--94bf07c4-3bf0-4ecc-8043-644e59fb9ec4", "created": "2022-03-28T19:30:27.364Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Security updates may contain patches to integrity checking mechanisms that can detect unauthorized hardware modifications.", "modified": "2022-03-28T19:30:27.364Z", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--7b45e72f-5741-4942-aa28-ee7abb6f7046", "created": "2022-04-05T17:14:35.469Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-05T17:14:35.469Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--740ea19e-d248-44e5-a0e5-3e9420df9dc8", "type": "relationship", "created": "2020-04-24T17:46:31.613Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020." } ], "modified": "2020-04-24T17:46:31.613Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can inject input to set itself as the default SMS handler, and to automatically click through pop-ups without giving the user any time to react.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--ddca1254-b404-4850-9566-0be35c6d7564", "created": "2020-11-10T17:08:35.771Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:00:11.412Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can access the device’s SMS and MMS messages.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4ab1867c-b924-4b0d-a332-c0e150a28d7d", "created": "2023-03-16T18:28:40.419Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-16T18:28:40.419Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--02b5cb07-9eb5-4e47-a4df-9c3985ad70fc", "created": "2021-10-01T14:42:49.174Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:26:41.762Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can abuse existing root access to copy components into the system partition.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--9fa03a70-ad00-4148-ae5e-8315f3e618d2", "created": "2020-07-15T20:20:59.375Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:29:29.307Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can abuse device administrator permissions to ensure that it cannot be uninstalled until its permissions are revoked.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--5a277966-4559-487e-bdfb-7be6366ccdb6", "type": "relationship", "created": "2019-09-03T19:45:48.508Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." } ], "modified": "2019-09-11T13:25:19.114Z", "description": " [Exodus](https://attack.mitre.org/software/S0405) Two can take pictures with the device cameras.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--cda58372-ae70-4716-8baf-cc06cb884ad6", "type": "relationship", "created": "2020-12-24T22:04:28.015Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-24T22:04:28.015Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has collected a list of installed application names.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--9d4c1d68-3cc8-4cf9-b3ee-1525d0ce32de", "type": "relationship", "created": "2019-10-14T20:49:24.571Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", "source_name": "securelist rotexy 2018" } ], "modified": "2019-10-14T20:49:24.571Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) collects information about running processes.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--a63bafb6-6647-410f-8673-a53ef2dee5e2", "created": "2020-07-27T14:14:57.020Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Google Security Zen", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:52:46.975Z", "description": "[Zen](https://attack.mitre.org/software/S0494) can modify the SELinux enforcement mode.(Citation: Google Security Zen)", "relationship_type": "uses", "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--a81431c4-ac34-4b63-9647-eb7c8e529e03", "created": "2020-12-24T21:45:56.962Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:14:46.472Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) can access call logs.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--cf26d49c-1d1b-4861-9d6e-959f4f15b73a", "type": "relationship", "created": "2019-08-09T17:53:48.716Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "source_name": "TrendMicro-RCSAndroid" } ], "modified": "2019-08-09T17:53:48.716Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can capture photos using the front and back cameras.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--cd8c383a-2a62-45e5-917f-a26efe5ba03c", "created": "2023-03-20T18:51:29.814Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:51:29.814Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--576dfa89-d400-4cac-b32d-8ee85a9de5d7", "created": "2023-03-20T18:57:42.922Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:57:42.922Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--c574251b-93ad-4f55-8b84-2700dfab4622", "created": "2020-07-15T20:20:59.280Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:45:27.443Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can hide its icon on older Android versions.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--db1201f0-f925-4c3c-8673-7524a8c20886", "type": "relationship", "created": "2021-02-17T20:43:52.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout FrozenCell", "url": "https://blog.lookout.com/frozencell-mobile-threat", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020." } ], "modified": "2021-02-17T20:43:52.274Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has recorded calls.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--024f9ee4-cb7d-49f4-b180-ad1e5e168a4c", "created": "2017-10-25T14:48:53.747Z", "x_mitre_version": "1.0", "x_mitre_deprecated": false, "revoked": false, "description": "Android 7 and later iOS versions introduced changes that prevent applications from performing Process Discovery without elevated privileges. ", "modified": "2022-03-30T20:32:46.334Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3230c032-17e0-49f7-b948-c157049aafe2", "created": "2017-10-25T14:48:53.742Z", "x_mitre_version": "1.0", "x_mitre_deprecated": false, "revoked": false, "description": "Users should ensure bootloaders are locked to prevent arbitrary operating system code from being flashed onto the device.", "modified": "2022-04-01T15:34:50.556Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58", "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--18a6020d-8fea-4a6e-84ab-a18343f2acea", "created": "2022-04-06T13:40:14.515Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "Android 10 Privacy Changes", "url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data", "description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "Android 10 prevents applications from accessing clipboard data unless the application is on the foreground or is set as the device’s default input method editor (IME).(Citation: Android 10 Privacy Changes)", "modified": "2022-04-06T13:40:14.515Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--b477afcb-7449-4fae-b4aa-c512c22d7500", "type": "relationship", "created": "2020-09-15T15:18:12.394Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason FakeSpy", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020." } ], "modified": "2020-09-15T15:18:12.394Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can send SMS messages.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--327d0102-2113-4e12-be68-504db097a6fd", "created": "2019-08-07T15:57:13.409Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Kaspersky Riltok June 2019", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", "url": "https://securelist.com/mobile-banker-riltok/91374/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:01:31.230Z", "description": "[Riltok](https://attack.mitre.org/software/S0403) communicates with the command and control server using HTTP requests.(Citation: Kaspersky Riltok June 2019)", "relationship_type": "uses", "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--087609b6-cc6c-402f-ada9-00dbcbfecbe8", "created": "2022-04-01T15:16:02.324Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "iOS Universal Links", "url": "https://developer.apple.com/ios/universal-links/", "description": "Apple. (n.d.). Universal Links for Developers. Retrieved September 11, 2020." }, { "source_name": "Android App Links", "url": "https://developer.android.com/training/app-links/verify-site-associations", "description": "Google. (n.d.). Verify Android App Links. Retrieved September 11, 2020." }, { "source_name": "IETF-PKCE", "url": "https://tools.ietf.org/html/rfc7636", "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016." } ], "x_mitre_deprecated": false, "revoked": false, "description": "Developers should use Android App Links(Citation: Android App Links) and iOS Universal Links(Citation: iOS Universal Links) to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE(Citation: IETF-PKCE) should be used to prevent use of stolen authorization codes. ", "modified": "2022-04-01T15:16:02.324Z", "relationship_type": "mitigates", "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--8ff45341-60d6-40d3-bb38-566814a466f9", "created": "2020-07-20T13:27:33.552Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:51:31.121Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can perform primitive emulation checks.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--b67f04d9-1cbd-49b4-9ec3-a33a41ac42ab", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-Obad", "description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[OBAD](https://attack.mitre.org/software/S0286) contains encrypted code along with an obfuscated decryption routine to make it difficult to analyze.(Citation: TrendMicro-Obad)", "relationship_type": "uses", "source_ref": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--40c9adb5-9d1a-4f51-8ef2-a80c2d78e4e4", "created": "2022-04-05T19:38:41.538Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "If devices are enrolled using Apple User Enrollment or using a profile owner enrollment mode for Android, device controls prevent the enterprise from accessing the device’s physical location. This is typically used for a Bring Your Own Device (BYOD) deployment. ", "modified": "2022-04-05T19:38:41.538Z", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--5e95ca90-bf75-4031-a28f-f8565c02185c", "created": "2020-11-24T17:55:12.883Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:23:49.569Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can lock the user out of the device by showing a persistent overlay.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--d44b097a-1bba-40bd-8ec8-d717a3f3df0c", "created": "2023-03-03T16:24:30.564Z", "revoked": false, "external_references": [ { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-03T16:24:30.564Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has hijacked normal application’s launch routines to display ads.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--373223d8-f18c-4151-8fe0-7d40c0c6e631", "type": "relationship", "created": "2020-11-24T17:55:12.885Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020." } ], "modified": "2020-11-24T17:55:12.885Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) has used timers to enable Wi-Fi, ping the C2 server, register the device with the C2, and register wake locks on the system.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--cb80178a-5f9c-41bd-95a2-a7c5fe23c12c", "created": "2022-04-01T18:48:03.156Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-01T18:48:03.156Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--079911c5-0db9-4eb2-ab85-6ed6e118fbbc", "created": "2022-03-30T19:36:20.304Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups.", "modified": "2022-03-30T19:36:20.304Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--22290cce-856a-46d5-9589-699f5dfc1429", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-XLoader", "description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/" } ], "modified": "2020-07-20T13:49:03.687Z", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) covertly records phone calls.(Citation: TrendMicro-XLoader)", "relationship_type": "uses", "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--27490b14-8044-408a-8c6a-6d8427eb78ff", "created": "2023-03-20T18:44:26.233Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:44:26.233Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--2836dc3d-cbea-493b-af31-5f1fa8279ec2", "created": "2020-04-24T17:46:31.589Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:00:28.299Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) communicates with the C2 by sending JSON objects over unencrypted HTTP requests.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--e3d04885-95a5-47cb-a038-b58542cf787d", "created": "2019-09-03T19:45:48.487Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.", "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:08:39.524Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can exfiltrate the call log.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--3c3c957e-7a23-4801-9f6a-ba599ad727d7", "type": "relationship", "created": "2019-10-15T19:33:42.204Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Kaspersky-Skygofree", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/" } ], "modified": "2019-10-15T19:33:42.204Z", "description": "[Skygofree](https://attack.mitre.org/software/S0327) can track the device's location.(Citation: Kaspersky-Skygofree)", "relationship_type": "uses", "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--91de92af-fe1d-469e-8c36-1a9f4b621a27", "type": "relationship", "created": "2020-07-20T13:27:33.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos-WolfRAT", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." } ], "modified": "2020-08-10T21:57:54.704Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489)’s code is obfuscated.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--b7282bf9-63f8-49ad-8ee0-f2ad523a367e", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-DualToy", "description": "Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.", "url": "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[DualToy](https://attack.mitre.org/software/S0315) side loads malicious or risky apps to both Android and iOS devices via a USB connection.(Citation: PaloAlto-DualToy)", "relationship_type": "uses", "source_ref": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878", "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--9c853c22-7607-4cbd-b114-08aaa4625c35", "type": "relationship", "created": "2020-12-17T20:15:22.405Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." } ], "modified": "2020-12-28T18:47:52.600Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can collect device information and can check if the device is running MIUI on a Xiaomi device.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--99b4be95-74f2-48f7-b4e9-8b4d88ecd31f", "created": "2020-09-11T14:54:16.642Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:21:19.617Z", "description": "If running on a Huawei device, [Desert Scorpion](https://attack.mitre.org/software/S0505) adds itself to the protected apps list, which allows it to run with the screen off.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--d638565b-ca8e-459f-9c3b-1bd8828606f5", "type": "relationship", "created": "2020-11-24T17:55:12.897Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Talos GPlayed", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020." } ], "modified": "2020-11-24T17:55:12.897Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can collect the user’s browser cookies.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--465d14e7-eb9e-4794-9cb3-1de2cff86a8e", "created": "2020-01-27T17:05:58.335Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:28:07.442Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) registers for the `USER_PRESENT` broadcast intent and uses it as a trigger to take photos with the front-facing camera.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--7ba4fb2e-99ff-41ff-8b07-f02e9f74e890", "created": "2023-01-18T19:09:40.955Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T17:58:45.439Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can record the screen via the `MediaProjection` library to harvest user credentials, including biometric PINs.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--20aaafe2-1f55-410f-9eb1-1fc979021fe0", "created": "2020-12-24T21:55:56.741Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:51:16.331Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed the contact list.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--5417959b-9478-49fb-b779-3c82a10ad080", "type": "relationship", "created": "2020-12-17T20:15:22.498Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Palo Alto HenBox", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." } ], "modified": "2020-12-17T20:15:22.498Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can obtain a list of running apps.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--d09abcd8-49bf-4d0f-8b17-0db7ada10ec2", "type": "relationship", "created": "2020-09-11T15:53:38.453Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "securelist rotexy 2018", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019." } ], "modified": "2020-09-11T15:53:38.453Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) can automatically reply to SMS messages, and optionally delete them.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--2f55e452-f8b3-402b-a193-d261dac9f327", "created": "2022-04-01T18:53:48.715Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-01T18:53:48.715Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--346b7e4a-dbd1-486b-ba26-55ae2ac613d0", "type": "relationship", "created": "2020-12-14T14:52:03.396Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Sophos Red Alert 2.0", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020." } ], "modified": "2020-12-16T20:52:21.426Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can download additional overlay templates.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--0008005f-ca51-47c3-8369-55ee5de1c65a", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Zscaler-SpyNote", "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:43:54.975Z", "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) uses an Android broadcast receiver to automatically start when the device boots.(Citation: Zscaler-SpyNote)", "relationship_type": "uses", "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--98b14660-79e1-4244-99c2-3dedd84eb68d", "type": "relationship", "created": "2020-09-11T14:54:16.582Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Desert Scorpion", "url": "https://blog.lookout.com/desert-scorpion-google-play", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." } ], "modified": "2020-09-11T14:54:16.582Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can track the device’s location.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--8cb42e3d-69f4-4b0d-98c9-0bb7560947c1", "created": "2017-12-14T16:46:06.044Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "TrendMicro-RCSAndroid", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can use SMS for command and control.(Citation: TrendMicro-RCSAndroid)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--605d95a1-0493-418e-9d81-de58531c4421", "created": "2020-04-24T15:12:11.217Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:04:31.136Z", "description": "[Concipit1248](https://attack.mitre.org/software/S0426) communicates with the C2 server using HTTP requests.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--f062ebc5-bad0-4b19-8c97-bf3915d687bd", "created": "2023-03-20T18:51:58.152Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:51:58.152Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--ca9e5e50-49e9-44cc-a0a4-4ec8633a9506", "type": "relationship", "created": "2020-11-20T16:37:28.567Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Symantec GoldenCup", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020." } ], "modified": "2020-11-20T16:37:28.567Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) has encrypted exfiltrated data using AES in ECB mode.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--45da5ed9-3a9b-4491-98cb-96db68e245bb", "created": "2020-12-14T14:52:03.184Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Sophos Red Alert 2.0", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has used malicious overlays to collect banking credentials.(Citation: Sophos Red Alert 2.0)", "modified": "2022-04-12T10:01:44.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--f3e902fe-7eea-4b85-9067-25d29fd01dc5", "created": "2023-03-20T15:21:12.492Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T15:21:12.492Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--322d0123-ea4c-4562-a718-672952c83d05", "created": "2023-03-20T18:55:54.372Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:55:54.372Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--bcc8eb7a-d2a8-41d2-832e-f435e51c685a", "created": "2022-03-30T19:54:43.835Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files. ", "modified": "2022-03-30T19:54:43.835Z", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--544e8fc3-c656-4081-9b4f-8a5d60926f47", "created": "2022-04-01T17:08:41.293Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "If devices are enrolled using Apple User Enrollment or using a profile owner enrollment mode for Android, device controls prevent the enterprise from accessing the device’s physical location. This is typically used for a Bring Your Own Device (BYOD) deployment. ", "modified": "2022-04-01T17:08:41.293Z", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--db3fc82d-d353-438d-aa5e-9b5e7e60f0ac", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" } ], "modified": "2019-08-09T17:52:31.748Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) checks if the device is on Wi-Fi, a cellular network, and is roaming.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b7a31a11-6c84-4c28-a548-4751e4d71134", "created": "2020-05-04T14:04:56.158Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Google Bread", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Bread](https://attack.mitre.org/software/S0432) can perform SMS fraud on older versions of the malware, and toll fraud on newer versions.(Citation: Google Bread)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--d5928f73-c4ba-4eb1-bf8a-e75ff6806a4a", "type": "relationship", "created": "2020-11-10T17:08:35.713Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-11-10T17:08:35.713Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can collect notes and data from the MiCode app.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--d63de13b-0253-42f4-b13d-34bccf76ad94", "created": "2023-03-20T18:54:50.323Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:54:50.323Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--628435f7-7d1e-40f1-a29a-7c5861b14c7d", "created": "2022-03-30T20:13:40.625Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Users should be shown what a synthetic activity looks like so they can scrutinize them in the future.", "modified": "2022-03-30T20:13:40.625Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4ff9b16f-3643-4fa0-b107-f93a9bb847c3", "created": "2023-02-28T21:44:45.063Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-29T21:26:33.166Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can use overlays to cover legitimate applications or screens.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b263e4e9-972d-4ba7-8be8-e55eb6a483c0", "created": "2017-12-14T16:46:06.044Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "ArsTechnica-HummingWhale", "url": "http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/", "description": "Dan Goodin. (2017, January 23). Virulent Android malware returns, gets >2 million downloads on Google Play. Retrieved January 24, 2017." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[HummingWhale](https://attack.mitre.org/software/S0321) generates revenue by displaying fraudulent ads and automatically installing apps. When victims try to close the ads, [HummingWhale](https://attack.mitre.org/software/S0321) runs in a virtual machine, creating a fake ID that allows the perpetrators to generate revenue.(Citation: ArsTechnica-HummingWhale)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--a7cc0168-247d-4a6d-b6f4-d5a04f99216c", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2018-10-17T00:14:20.652Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--5a6df1dd-9aa4-4f67-9195-8c3a9f5c0f7a", "created": "2017-12-14T16:46:06.044Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Tripwire-MazarBOT", "url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/", "description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[MazarBOT](https://attack.mitre.org/software/S0303) can send messages to premium-rate numbers.(Citation: Tripwire-MazarBOT)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--20dcd886-56c4-421d-ba36-0f37a47a3f86", "created": "2022-04-06T13:55:37.498Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Users should be advised that applications generally do not require permission to send SMS messages.", "modified": "2022-04-06T13:55:37.498Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--5a036fb8-9f72-4383-91c5-0f47b33b2c9d", "created": "2019-07-10T15:35:43.658Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T19:57:40.371Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) gathers and exfiltrates data about nearby Wi-Fi access points.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--433ba5b0-76eb-49e1-a2ed-e54994e94041", "type": "relationship", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "modified": "2019-10-10T15:27:22.174Z", "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather cellular IDs.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--15d83ba8-be89-4151-9c6e-35d14df4fa80", "created": "2022-03-30T19:33:05.375Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Security updates typically provide patches for vulnerabilities that enable device rooting.", "modified": "2022-03-30T19:33:05.375Z", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--7850d933-120b-4ae6-998d-8dc4dfd6d164", "type": "relationship", "created": "2020-01-27T17:49:05.664Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", "source_name": "Trend Micro Bouncing Golf 2019" } ], "modified": "2020-01-27T17:49:05.664Z", "description": "(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd", "target_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--0ae94053-1963-45ba-a3a9-62e508281c8e", "created": "2023-01-19T18:06:36.986Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-29T21:21:58.318Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) can install malicious configurations on iPhones to allow malware to be installed via Ad Hoc distribution.(Citation: trendmicro_tianyspy_0122) ", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--7696b512-ba2f-4310-86e1-7c528529fc5e", "type": "relationship", "created": "2020-09-15T15:18:12.425Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cybereason FakeSpy", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020." } ], "modified": "2020-09-15T15:18:12.425Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) stores its malicious code in encrypted asset files that are decrypted at runtime. Newer versions of [FakeSpy](https://attack.mitre.org/software/S0509) encrypt the C2 address.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--5107be8a-b5fc-4442-af0d-2c92e086a912", "type": "relationship", "created": "2020-05-11T16:13:43.062Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CheckPoint Agent Smith", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020." } ], "modified": "2020-05-11T16:13:43.062Z", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) checks if a targeted application is running in user-space prior to infection.(Citation: CheckPoint Agent Smith) ", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--18afa4ad-4fd7-47ad-acdb-3b298b640d3c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-Adware", "description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:26:05.199Z", "description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is auto-rooting adware that embeds itself as a system application, making it nearly impossible to remove.(Citation: Lookout-Adware)", "relationship_type": "uses", "source_ref": "malware--c80a6bef-b3ce-44d0-b113-946e93124898", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--6b74d347-4d28-401f-9ac2-b3e1c9428bab", "created": "2023-01-18T19:16:15.534Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T17:54:10.458Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can use keylogging to steal user banking credentials.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4e6b726d-9ef4-4eb6-b9a7-74059caee5b7", "created": "2020-07-20T13:27:33.440Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:26:22.984Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can collect SMS messages.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--eb052029-e1c9-4f24-8594-299aaec7f1df", "created": "2020-12-14T14:52:03.351Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:42:46.952Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can collect the device’s call log.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--67aa692c-24e4-483e-996e-02ce1e861ec8", "created": "2023-02-28T20:37:29.206Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-31T22:09:02.129Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can add display overlays onto banking apps to capture credit card information.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--592331d2-60a7-4264-b844-fbeb89b6386c", "created": "2023-03-20T18:58:56.942Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:58:56.942Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--09c55c29-ce4f-4d3e-a940-f3a4b6f07bca", "created": "2022-04-06T13:22:57.754Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-06T13:22:57.754Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--37047267-3e56-453c-833e-d92b68118120", "target_ref": "attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--af55d12a-5f58-4135-90d0-f465a66f7a3f", "type": "relationship", "created": "2020-07-15T20:20:59.305Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." } ], "modified": "2020-07-15T20:20:59.305Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) abuses the accessibility service to prevent removing administrator permissions, accessibility permissions, and to set itself as the default SMS handler.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--554ec347-c8b2-43da-876b-36608dcc543d", "created": "2017-10-25T14:48:53.746Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "TelephonyManager", "url": "https://developer.android.com/reference/android/telephony/TelephonyManager.html", "description": "Android. (n.d.). TelephonyManager. Retrieved December 21, 2016." } ], "x_mitre_deprecated": false, "revoked": false, "description": "Android 10 introduced changes that prevent normal applications from accessing sensitive device identifiers.(Citation: TelephonyManager) ", "modified": "2022-03-30T21:04:59.921Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--cd503879-ccb4-4d47-af5a-90fe7e37c438", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T19:53:53.384Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests contact lists from victims.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4aec0738-2c76-4dc7-af8a-87785e658193", "created": "2021-10-01T14:42:49.152Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:26:18.801Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can run shell commands.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3e2474d3-f36d-4193-92f6-273296befdd3", "created": "2022-04-05T19:38:18.760Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Users should protect their account credentials and enable multi-factor authentication options when available. ", "modified": "2022-04-05T19:38:18.760Z", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--0a737289-c62d-4c0a-a857-6d116f774864", "type": "relationship", "created": "2020-06-26T15:12:40.077Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "ESET DEFENSOR ID", "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/", "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020." } ], "modified": "2020-06-26T15:12:40.077Z", "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) can abuse the accessibility service to read any text displayed on the screen.(Citation: ESET DEFENSOR ID)", "relationship_type": "uses", "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--1e286a4a-63cd-47df-a034-11a5d92daceb", "created": "2022-04-06T15:41:03.981Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-06T15:41:03.981Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--6846dc09-b66a-42d3-aea2-c80b51f22952", "created": "2023-02-28T21:42:31.008Z", "revoked": false, "external_references": [ { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-02-28T21:42:31.008Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can record audio using the device microphone.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--4b3cfd7c-5e41-4d9e-8879-b126ba66eaf1", "created": "2021-10-01T14:42:49.176Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "SecureList BusyGasper", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect every user screen tap and compare the input to a hardcoded list of coordinates to translate the input to a character.(Citation: SecureList BusyGasper)", "modified": "2022-04-15T17:33:49.565Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--2f9b95b2-0ef4-40b8-a230-86f273000dc7", "created": "2023-03-15T16:26:04.949Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-15T16:26:04.949Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--a0464679-71b6-4ab4-a72d-0428e4d75d5e", "created": "2022-03-30T13:45:39.184Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "Device attestation can often detect jailbroken or rooted devices.", "modified": "2022-03-30T13:45:39.184Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--b3bb33bf-9034-4d5c-8ea0-31d3bbd12b6b", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "PaloAlto-WireLurker", "description": "Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.", "url": "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[WireLurker](https://attack.mitre.org/software/S0312) obfuscates its payload through complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing.(Citation: PaloAlto-WireLurker)", "relationship_type": "uses", "source_ref": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--f87bb2d2-e7fd-44ce-b537-e7e01086731c", "type": "relationship", "created": "2020-12-18T20:14:47.371Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." } ], "modified": "2020-12-18T21:00:05.246Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) can send SMS messages.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--477edf7d-cc1f-49b7-9d96-f88399808775", "created": "2022-04-05T20:15:43.660Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-05T20:15:43.660Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c14efc74-8a5c-4a2d-b9ba-a231738c90dd", "created": "2020-12-24T21:41:37.047Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[SilkBean](https://attack.mitre.org/software/S0549) has used HTTPS for C2 communication.(Citation: Lookout Uyghur Campaign)", "modified": "2022-04-18T16:04:02.127Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--d7aa436a-e66d-4217-be66-4414703dec07", "type": "relationship", "created": "2020-11-10T17:08:35.634Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-11-10T17:08:35.634Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has used incorrect file extensions and encryption to hide most of its assets, including secondary APKs, configuration files, and JAR or DEX files.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--3bf5a566-986b-478c-b2da-e57caf261378", "type": "relationship", "created": "2019-09-03T19:45:48.515Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SWB Exodus March 2019", "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." } ], "modified": "2019-09-11T13:25:19.216Z", "description": " [Exodus](https://attack.mitre.org/software/S0405) Two attempts to elevate privileges by using a modified version of the DirtyCow exploit.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--450a1b75-efa5-4d7a-bcd5-d3e63723b408", "created": "2017-12-14T16:46:06.044Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Lookout-Pegasus", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) monitors the connection state and tracks which types of networks the phone is connected to, potentially to determine the bandwidth and ability to send full data across the network.(Citation: Lookout-Pegasus)", "modified": "2022-04-15T19:47:48.036Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--8726b157-3575-450f-bb7f-f17bb18e6aef", "created": "2022-03-30T20:41:43.314Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "New OS releases frequently contain additional limitations or controls around device location access.", "modified": "2022-03-30T20:41:43.314Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--e03b25b0-0779-48da-b5d7-28f1f6106363", "type": "relationship", "created": "2020-12-24T22:04:27.992Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-24T22:04:27.992Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has taken screenshots.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--8e6b9c1e-5e28-4519-95c3-6b4a836661de", "created": "2023-01-18T19:16:45.773Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T18:07:34.581Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) has used custom encryption to hide strings, potentially to evade antivirus products.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--63e67cba-4eae-4495-8897-2610103a0c41", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) exploits iOS vulnerabilities to escalate privileges.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4a4aba6e-2dc4-43a5-bcac-876c89114a57", "created": "2023-03-20T18:43:49.345Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:43:49.345Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f012feab-5612-429f-81bd-ff75d6ffd04e", "created": "2022-04-05T17:03:34.941Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-05T17:03:34.941Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--f7039142-dbdc-4ffc-a54f-136ad57a6ac1", "type": "relationship", "created": "2020-07-20T13:49:03.693Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro-XLoader-FakeSpy", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020." } ], "modified": "2020-09-24T15:12:24.242Z", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) collects the device’s IMSI and ICCID.(Citation: TrendMicro-XLoader-FakeSpy)", "relationship_type": "uses", "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--4586277d-bebd-4717-87c6-a31a9be741ed", "type": "relationship", "created": "2020-12-24T21:45:56.982Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-24T21:45:56.982Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) can get file lists on the SD card.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--45253350-c802-4566-a72d-57d43d05fd63", "type": "relationship", "created": "2020-05-07T15:24:49.530Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2020-05-27T13:23:34.536Z", "description": "Security updates frequently contain patches to vulnerabilities.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--6b64d3f4-96d6-48e5-a57e-b5cf897670f9", "created": "2021-01-05T20:16:20.500Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:27:33.948Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can collect SMS messages from the device.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--c50b4da7-f0e1-4f6d-969c-dbc739d49d7c", "created": "2021-01-05T20:16:20.508Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:40:43.898Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can collect the device’s call logs.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--bb006be2-7d2c-4bb3-ab48-7c95e0ab8106", "type": "relationship", "created": "2020-12-14T14:52:03.255Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Sophos Red Alert 2.0", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020." } ], "modified": "2020-12-14T14:52:03.255Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has stored data embedded in the strings.xml resource file.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--e7af5be1-721f-40c5-b647-659243a0a14b", "type": "relationship", "created": "2020-04-08T15:41:19.321Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Cofense Anubis", "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." } ], "modified": "2021-09-20T13:50:02.057Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can record phone calls and audio.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--b247a4f6-3629-4123-84b0-c7c5b3e7e37e", "created": "2022-03-30T20:45:34.433Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "Android Package Visibility", "url": "https://developer.android.com/training/package-visibility", "description": "Google. (n.d.). Package visibility filtering on Android. Retrieved April 11, 2022." } ], "x_mitre_deprecated": false, "revoked": false, "description": "Android 11 introduced privacy enhancements to package visibility, filtering results that are returned from the package manager. iOS 12 removed the private API that could previously be used to list installed applications on non-app store applications.(Citation: Android Package Visibility)", "modified": "2022-04-11T19:19:52.562Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--50c81a85-8c70-48df-a338-8622d2debc74", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:38:39.008Z", "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather call logs.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--fd6c7f4b-ce0f-4770-8487-786e41b63549", "created": "2023-03-20T18:24:56.396Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:24:56.396Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--bde9304b-4421-4185-a2c6-dabe1c080587", "created": "2023-03-16T18:31:48.708Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-16T18:31:48.708Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--a5f64f9e-3ed9-442b-a244-9857b926d93b", "created": "2023-03-20T18:59:46.622Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:59:46.622Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--7baa3cab-c4f8-4b91-a6c3-189ad7a6416c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:34:08.372Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) gathers contacts from the system by dumping the victim's address book.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--5e360913-4986-4423-8d3c-46d3202b7787", "type": "relationship", "created": "2019-09-04T14:28:15.471Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", "source_name": "Lookout-Monokle" } ], "modified": "2019-10-14T17:51:37.979Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve the salt used when storing the user’s password, aiding an adversary in computing the user’s plaintext password/PIN from the stored password hash. [Monokle](https://attack.mitre.org/software/S0407) can also capture the user’s dictionary, user-defined shortcuts, and browser history, enabling profiling of the user and their activities.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--75989cf6-c023-4ed3-9d23-a83f55690186", "created": "2023-02-28T21:43:36.886Z", "revoked": false, "external_references": [ { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-02-28T21:43:36.886Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can read incoming text messages.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--22708018-defd-4690-8b0f-fe47e11cb5d6", "type": "relationship", "created": "2020-07-15T20:20:59.316Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Bitdefender Mandrake", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." } ], "modified": "2020-07-15T20:20:59.316Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can capture all device notifications and hide notifications from the user.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--684c17bb-2075-4e1f-9fcb-17408511222d", "type": "relationship", "created": "2021-09-20T13:54:19.957Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2021-09-20T13:54:19.957Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can silently accept an incoming phone call.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--5a64b957-32fb-4dd6-84ae-48a2c74c560f", "created": "2023-03-20T15:56:34.418Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T15:56:34.418Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--794c3cb4-1a1f-4d7e-969f-c97dfcd006c7", "created": "2020-11-24T17:55:12.889Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:22:27.554Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can request device administrator permissions.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--ee92911e-e2a2-4b40-916d-ce01b6e897f9", "created": "2020-09-15T15:18:12.419Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T19:56:18.859Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect the device’s contact list.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--a451966b-f826-422b-9505-f564b9988a9c", "created": "2020-12-24T21:55:56.693Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:27:39.012Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has used both FTP and TCP sockets for data exfiltration.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--e457921c-4a0b-4d6e-92e7-553929ddf943", "created": "2023-02-06T18:51:14.919Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T17:23:48.120Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can download and install additional malware after initial infection.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--fc7639c8-0e52-4f6f-9cf3-7840be81ad55", "created": "2023-03-03T16:23:56.031Z", "revoked": false, "external_references": [ { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-03T16:23:56.031Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has collected the device UUID.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--d2749285-47d9-44a4-962f-9215e6fb580e", "created": "2020-10-29T17:48:27.380Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T19:54:30.569Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can access the device’s contact list.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--97738857-d496-4d39-9809-1921e0ad10b7", "type": "relationship", "created": "2020-12-31T18:25:05.125Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "CYBERWARCON CHEMISTGAMES", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020." } ], "modified": "2020-12-31T18:25:05.125Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) can collect files from the filesystem and account information from Google Chrome.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--13aba849-5004-4457-9f3b-49e470b589e0", "created": "2023-03-20T18:43:44.617Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:43:44.617Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--51457698-e98b-435a-88c2-75a82cdc2bda", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:38:56.380Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads call logs.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--209aa948-393c-46b0-9488-ef93a6252438", "created": "2022-03-30T20:07:19.296Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-30T20:07:19.296Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--93b6bf37-5614-4317-8ed7-42f098152c40", "created": "2023-02-28T20:39:18.320Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-31T22:10:38.672Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can use a SOCKS proxy to evade C2 IP detection.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--d6f78e9b-94d1-4d59-b00e-89fad2261c55", "type": "relationship", "created": "2020-04-24T17:46:31.603Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "SecurityIntelligence TrickMo", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020." } ], "modified": "2020-04-24T17:46:31.603Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can steal pictures from the device.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c83c84e8-a556-4efe-ae24-75970ee8ad4b", "created": "2017-12-14T16:46:06.044Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Kaspersky-WUC", "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/", "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) used SMS to receive command and control messages.(Citation: Kaspersky-WUC)", "modified": "2022-04-19T14:25:41.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4ae0c45f-4ff0-4296-aaf4-c3e0d2e355e3", "created": "2020-09-15T15:18:12.462Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:42:40.327Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can hide its icon if it detects that it is being run on an emulator.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--760faa7b-06cb-48b7-9103-1c52f2ca408f", "type": "relationship", "created": "2020-11-10T17:08:35.644Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-11-10T17:08:35.644Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has gathered device metadata, including model, manufacturer, SD card size, disk usage, memory, CPU, and serial number.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--d53a8ff0-7252-477e-8767-fd485dd62e7c", "type": "relationship", "created": "2020-12-18T20:14:47.381Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WhiteOps TERRACOTTA", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." } ], "modified": "2020-12-28T18:59:33.140Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has collected the device’s phone number and can check if the active network connection is metered.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--93b2474b-0ba6-469e-a4e8-d17a41d0d016", "created": "2022-04-15T18:12:53.512Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Xiao-KeyRaider", "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:28:29.839Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can install attacker-specified certificates to the device's trusted certificate store, enabling an adversary to perform adversary-in-the-middle attacks.(Citation: Xiao-KeyRaider)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--f0851531-e554-4658-920c-f2342632c19a", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout-Adware", "description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/" } ], "modified": "2018-10-17T00:14:20.652Z", "description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is packed with at least eight publicly available exploits that can perform rooting.(Citation: Lookout-Adware)", "relationship_type": "uses", "source_ref": "malware--c80a6bef-b3ce-44d0-b113-946e93124898", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--0e9edc13-7af7-43c4-8ec2-636b1f8cb7f1", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-BrainTest", "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T21:25:52.381Z", "description": "[BrainTest](https://attack.mitre.org/software/S0293) uses root privileges (if available) to copy an additional Android app package (APK) to /system/priv-app to maintain persistence even after a factory reset.(Citation: Lookout-BrainTest)", "relationship_type": "uses", "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--1c180c0e-c789-4176-b568-789ada9487bb", "type": "relationship", "created": "2020-10-29T19:21:23.162Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "WeLiveSecurity AdDisplayAshas", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020." } ], "modified": "2020-10-29T19:21:23.162Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can collect information about the device including device type, OS version, language, free storage space, battery status, device root, and if *developer mode* is enabled.(Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--de4ecfa3-fa91-4377-810c-5c567de9688b", "created": "2021-01-05T20:16:20.490Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T20:38:01.842Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can delete attacker-specified files.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--ba8735ad-b9c6-4b35-9fac-d4747ab0b2ae", "type": "relationship", "created": "2020-11-10T17:08:35.746Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-01T19:48:44.878Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has searched device storage for various files, including .amr files (audio recordings) and superuser binaries.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4aae6ab8-2a67-4780-a69e-b15ecff7fc5d", "created": "2023-02-28T21:43:12.487Z", "revoked": false, "external_references": [ { "source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-02-28T21:43:12.487Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can make and block phone calls.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--2b065fcf-7ed1-4f88-8910-2eb46bde9ab7", "created": "2023-01-18T19:19:34.604Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T17:52:35.805Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can send stolen data back to the C2 server.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--f5d24a31-53d2-4e84-9110-2da0582132cb", "created": "2020-05-07T15:33:32.936Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "CheckPoint Agent Smith", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[Agent Smith](https://attack.mitre.org/software/S0440)’s core malware is disguised as a JPG file, and encrypted with an XOR cipher.(Citation: CheckPoint Agent Smith)", "modified": "2022-04-15T16:44:17.145Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--c96c3405-1d9b-46e4-8f57-a6c49eb68a31", "created": "2022-04-06T13:41:17.517Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-06T13:41:17.517Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb", "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--bf2ea132-c8f3-4ea0-8c4c-bdc95923c3b1", "type": "relationship", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Zscaler-SpyNote", "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" } ], "modified": "2019-10-10T15:24:09.355Z", "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can activate the victim's microphone.(Citation: Zscaler-SpyNote)", "relationship_type": "uses", "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--2acc0c1a-af30-4410-976b-31148df5378d", "created": "2022-03-28T19:39:42.538Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-03-28T19:39:42.538Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4d6a900d-d1c4-4a91-bded-c9062aae384b", "created": "2021-01-05T20:16:20.492Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:47:18.774Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) has registered for device boot, incoming, and outgoing calls broadcast intents.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--4a608d3b-aa02-4563-8b6b-c64a491856f5", "created": "2023-03-03T16:26:20.400Z", "revoked": false, "external_references": [ { "source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-03T16:26:20.400Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has collected information about running processes.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--3bf4b093-a1a3-48da-9236-bce9514765eb", "created": "2022-04-05T19:46:05.853Z", "x_mitre_version": "0.1", "external_references": [ { "source_name": "Samsung Keyboards", "url": "https://support.samsungknox.com/hc/en-us/articles/360001485027-3rd-party-keyboards-must-be-whitelisted-", "description": "Samsung. (2019, August 16). 3rd party keyboards must be whitelisted.. Retrieved September 1, 2019." } ], "x_mitre_deprecated": false, "revoked": false, "description": "When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.(Citation: Samsung Keyboards)", "modified": "2022-04-05T19:46:05.853Z", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--78417fce-5aaa-4ad3-a2f1-279fa18bfe45", "created": "2023-02-06T19:47:26.528Z", "revoked": false, "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-02-06T19:47:26.528Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) has been distributed in obfuscated and packed form.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--70fa8498-6117-4e15-ae3c-f53d63996826", "type": "relationship", "created": "2020-06-26T15:32:25.050Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Threat Fabric Cerberus", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020." } ], "modified": "2020-06-26T15:32:25.050Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can collect the device’s location.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--c3439bdd-a0db-401b-97fd-5e2ec135a396", "created": "2023-03-20T18:40:12.814Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:40:12.814Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--3752c235-0576-47dc-b05d-d3eaeaccfecc", "type": "relationship", "created": "2020-12-24T21:55:56.688Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Lookout Uyghur Campaign", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." } ], "modified": "2020-12-24T21:55:56.688Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has captured audio and can record phone calls.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--188c09ee-ca3b-4bac-ad69-36489c50b5bd", "created": "2022-04-01T18:50:00.027Z", "x_mitre_version": "0.1", "x_mitre_deprecated": false, "revoked": false, "description": "", "modified": "2022-04-01T18:50:00.027Z", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--290a627d-172d-494d-a0cc-685f480a1034", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:36:27.983Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) collects call logs.(Citation: Lookout-EnterpriseApps)", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--084786ee-9384-4a00-9e1b-48f94ea70126", "created": "2019-09-03T19:45:48.517Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.", "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:09:45.426Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can exfiltrate calendar events.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", "id": "relationship--03172b09-4f97-4fb8-95f0-92b2d8957408", "created": "2020-06-26T14:55:13.349Z", "x_mitre_version": "1.0", "external_references": [ { "source_name": "Cybereason EventBot", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020." } ], "x_mitre_deprecated": false, "revoked": false, "description": "[EventBot](https://attack.mitre.org/software/S0478) has encrypted base64-encoded payload data using RC4 and Curve25519.(Citation: Cybereason EventBot)", "modified": "2022-04-18T15:57:14.375Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--48486680-530c-4ed9-aca3-94969aa262b6", "created": "2019-07-10T15:35:43.665Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-04-05T17:38:00.609Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) accesses and exfiltrates the call log.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "relationship--0a610208-06af-425f-a9af-cd0899261e33", "type": "relationship", "created": "2020-09-11T15:45:38.450Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "TrendMicro Coronavirus Updates", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." } ], "modified": "2020-09-11T15:45:38.450Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can send SMS messages.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--0291c9d5-8977-420d-8374-b786e3095a73", "created": "2023-03-20T18:49:53.204Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-20T18:49:53.204Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--3e5b5c7a-32e1-4745-8ceb-c46ce7276364", "created": "2023-02-06T19:46:19.592Z", "revoked": false, "external_references": [ { "source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-02-06T19:46:19.592Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) has C2 commands to add an infected device to a DDoS pool.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", "id": "relationship--5dc4eaca-ff82-412a-a8dd-168de1857d8c", "created": "2023-01-18T21:38:58.113Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2023-03-27T18:49:16.069Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use input injection via Accessibility Services to simulate user touch inputs, prevent applications from opening, change device settings, and bypass MFA protections.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-13T19:59:14.491Z", "name": "API Calls", "description": "API calls utilized by an application that could indicate malicious activity", "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "type": "x-mitre-data-component", "id": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "created": "2023-03-13T19:59:14.491Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-13T20:48:14.540Z", "name": "System Settings", "description": "Settings visible to the user on the device", "x_mitre_data_source_ref": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "type": "x-mitre-data-component", "id": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "created": "2023-03-13T20:48:14.540Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "aliases": [ "Windshift", "Bahamut" ], "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "type": "intrusion-set", "created": "2020-06-25T17:16:39.168Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "G0112", "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0112" }, { "source_name": "Bahamut", "description": "(Citation: SANS Windshift August 2018)" }, { "source_name": "SANS Windshift August 2018", "url": "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf", "description": "Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020." }, { "source_name": "objective-see windtail1 dec 2018", "url": "https://objective-see.com/blog/blog_0x3B.html", "description": "Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019." }, { "source_name": "objective-see windtail2 jan 2019", "url": "https://objective-see.com/blog/blog_0x3D.html", "description": "Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019." } ], "modified": "2021-04-26T14:37:33.234Z", "name": "Windshift", "description": "[Windshift](https://attack.mitre.org/groups/G0112) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)", "x_mitre_version": "1.1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "aliases": [ "Dark Caracal" ], "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", "type": "intrusion-set", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0070", "external_id": "G0070" }, { "source_name": "Dark Caracal", "description": "(Citation: Lookout Dark Caracal Jan 2018)" }, { "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "source_name": "Lookout Dark Caracal Jan 2018" } ], "modified": "2021-10-11T19:08:18.503Z", "name": "Dark Caracal", "description": "[Dark Caracal](https://attack.mitre.org/groups/G0070) is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. (Citation: Lookout Dark Caracal Jan 2018)", "x_mitre_version": "1.3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2021-10-20T15:05:19.272Z", "name": "Process Metadata", "description": "Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.", "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-20T20:22:45.613Z", "name": "Host Status", "description": "Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)", "x_mitre_data_source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "type": "x-mitre-data-component", "id": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-13T20:00:08.487Z", "name": "Permissions Requests", "description": "Permissions declared in an application's manifest or property list file", "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "type": "x-mitre-data-component", "id": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "created": "2023-03-13T20:00:08.487Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-17T19:51:56.531Z", "name": "Earth Lusca", "description": "[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)\n\n[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)", "aliases": [ "Earth Lusca", "TAG-22" ], "x_mitre_deprecated": false, "x_mitre_version": "1.0", "type": "intrusion-set", "id": "intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034", "created": "2022-07-01T20:12:30.184Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G1006", "external_id": "G1006" }, { "source_name": "TAG-22", "description": "(Citation: Recorded Future TAG-22 July 2021)" }, { "source_name": "TrendMicro EarthLusca 2022", "description": "Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.", "url": "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" }, { "source_name": "Recorded Future TAG-22 July 2021", "description": "INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.", "url": "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2021-10-20T15:05:19.274Z", "name": "Network Traffic Flow", "description": "Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)", "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-20T20:18:06.745Z", "name": "Network Connection Creation", "description": "Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)", "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "type": "x-mitre-data-component", "id": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-13T20:47:52.557Z", "name": "System Notifications", "description": "Notifications generated by the OS", "x_mitre_data_source_ref": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "type": "x-mitre-data-component", "id": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "created": "2023-03-13T20:47:52.557Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-09-30T21:05:22.490Z", "name": "Operation Dust Storm", "description": "[Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.(Citation: Cylance Dust Storm)\n\n[Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.(Citation: Cylance Dust Storm)", "aliases": [ "Operation Dust Storm" ], "first_seen": "2010-01-01T07:00:00.000Z", "last_seen": "2016-02-01T06:00:00.000Z", "x_mitre_first_seen_citation": "(Citation: Cylance Dust Storm)", "x_mitre_last_seen_citation": "(Citation: Cylance Dust Storm)", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "type": "campaign", "id": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f", "created": "2022-09-29T20:00:38.136Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/campaigns/C0016", "external_id": "C0016" }, { "source_name": "Cylance Dust Storm", "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.0.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ] }, { "modified": "2023-03-13T19:59:42.141Z", "name": "Network Communication", "description": "Network requests made by an application or domains contacted", "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "type": "x-mitre-data-component", "id": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "created": "2023-03-13T19:59:42.141Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2021-10-20T15:05:19.272Z", "name": "Process Termination", "description": "Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)", "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-13T20:47:24.038Z", "name": "Permissions Request", "description": "System prompts triggered when an application requests new or additional permissions", "x_mitre_data_source_ref": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "type": "x-mitre-data-component", "id": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", "created": "2023-03-13T20:47:24.038Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-26T17:51:20.401Z", "name": "APT28", "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: GRIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018)(Citation: ESET Zebrocy May 2019)\n\n[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). ", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Swallowtail", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127" ], "x_mitre_deprecated": false, "x_mitre_version": "4.0", "x_mitre_contributors": [ "Sébastien Ruel, CGI", "Drew Church, Splunk", "Emily Ratliff, IBM", "Richard Gold, Digital Shadows" ], "type": "intrusion-set", "id": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", "created": "2017-05-31T21:31:48.664Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0007", "external_id": "G0007" }, { "source_name": "SNAKEMACKEREL", "description": "(Citation: Accenture SNAKEMACKEREL Nov 2018)" }, { "source_name": "Fancy Bear", "description": "(Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)" }, { "source_name": "Tsar Team", "description": "(Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)" }, { "source_name": "APT28", "description": "(Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)" }, { "source_name": "STRONTIUM", "description": "(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)" }, { "source_name": "IRON TWILIGHT", "description": "(Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)" }, { "source_name": "Threat Group-4127", "description": "(Citation: SecureWorks TG-4127)" }, { "source_name": "TG-4127", "description": "(Citation: SecureWorks TG-4127)" }, { "source_name": "Pawn Storm", "description": "(Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020) " }, { "source_name": "Swallowtail", "description": "(Citation: Symantec APT28 Oct 2018)" }, { "source_name": "Group 74", "description": "(Citation: Talos Seduploader Oct 2017)" }, { "source_name": "Accenture SNAKEMACKEREL Nov 2018", "description": "Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.", "url": "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" }, { "source_name": "Crowdstrike DNC June 2016", "description": "Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.", "url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" }, { "source_name": "US District Court Indictment GRU Oct 2018", "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.", "url": "https://www.justice.gov/opa/page/file/1098481/download" }, { "source_name": "GRIZZLY STEPPE JAR", "description": "Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.", "url": "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf" }, { "source_name": "ESET Zebrocy May 2019", "description": "ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.", "url": "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" }, { "source_name": "ESET Sednit Part 3", "description": "ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.", "url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" }, { "source_name": "Sofacy DealersChoice", "description": "Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" }, { "source_name": "FireEye APT28 January 2017", "description": "FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.", "url": "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" }, { "source_name": "FireEye APT28", "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.", "url": "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" }, { "source_name": "Ars Technica GRU indictment Jul 2018", "description": "Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.", "url": "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/" }, { "source_name": "TrendMicro Pawn Storm Dec 2020", "description": "Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.", "url": "https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" }, { "source_name": "Securelist Sofacy Feb 2018", "description": "Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.", "url": "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" }, { "source_name": "Kaspersky Sofacy", "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.", "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" }, { "source_name": "Palo Alto Sofacy 06-2018", "description": "Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" }, { "source_name": "Talos Seduploader Oct 2017", "description": "Mercer, W., et al. (2017, October 22). \"Cyber Conflict\" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.", "url": "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" }, { "source_name": "Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020", "description": "Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.", "url": "https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/" }, { "source_name": "Microsoft STRONTIUM Aug 2019", "description": "MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019.", "url": "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/" }, { "source_name": "DOJ GRU Indictment Jul 2018", "description": "Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.", "url": "https://www.justice.gov/file/1080281/download" }, { "source_name": "Cybersecurity Advisory GRU Brute Force Campaign July 2021", "description": "NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.", "url": "https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" }, { "source_name": "NSA/FBI Drovorub August 2020", "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.", "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" }, { "source_name": "SecureWorks TG-4127", "description": "SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.", "url": "https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign" }, { "source_name": "Secureworks IRON TWILIGHT Active Measures March 2017", "description": "Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.", "url": "https://www.secureworks.com/research/iron-twilight-supports-active-measures" }, { "source_name": "Secureworks IRON TWILIGHT Profile", "description": "Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022.", "url": "https://www.secureworks.com/research/threat-profiles/iron-twilight" }, { "source_name": "Symantec APT28 Oct 2018", "description": "Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.", "url": "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" }, { "source_name": "Sednit", "description": "This designation has been used in reporting both to refer to the threat group and its associated malware [JHUHUGIT](https://attack.mitre.org/software/S0044).(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018)" }, { "source_name": "Sofacy", "description": "This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2021-10-20T15:05:19.274Z", "name": "Network Traffic Content", "description": "Logged network traffic data showing both protocol header and body values (ex: PCAP)", "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-07T16:14:39.124Z", "name": "Command Execution", "description": "The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )", "x_mitre_data_source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "type": "x-mitre-data-component", "id": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-07T16:15:56.932Z", "name": "Process Creation", "description": "The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)", "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "type": "x-mitre-data-component", "id": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "aliases": [ "Bouncing Golf" ], "x_mitre_domains": [ "mobile-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd", "type": "intrusion-set", "created": "2020-01-27T16:55:39.688Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "external_id": "G0097", "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0097" }, { "source_name": "Trend Micro Bouncing Golf 2019", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020." } ], "modified": "2020-03-26T20:58:44.722Z", "name": "Bouncing Golf", "description": "[Bouncing Golf](https://attack.mitre.org/groups/G0097) is a cyberespionage campaign targeting Middle Eastern countries.(Citation: Trend Micro Bouncing Golf 2019)", "x_mitre_version": "1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-13T20:00:38.029Z", "name": "Protected Configuration", "description": "Device configuration options that are not typically utilized by benign applications", "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203", "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "type": "x-mitre-data-component", "id": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2", "created": "2023-03-13T20:00:38.029Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-08T22:12:31.238Z", "name": "Sandworm Team", "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM" ], "x_mitre_deprecated": false, "x_mitre_version": "3.0", "x_mitre_contributors": [ "Dragos Threat Intelligence" ], "type": "intrusion-set", "id": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "created": "2017-05-31T21:32:04.588Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0034", "external_id": "G0034" }, { "source_name": "Voodoo Bear", "description": "(Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" }, { "source_name": "ELECTRUM", "description": "(Citation: Dragos ELECTRUM)(Citation: UK NCSC Olympic Attacks October 2020)" }, { "source_name": "Sandworm Team", "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" }, { "source_name": "Quedagh", "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020)" }, { "source_name": "IRIDIUM", "description": "(Citation: Microsoft Prestige ransomware October 2022)" }, { "source_name": "BlackEnergy (Group)", "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)" }, { "source_name": "Telebots", "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" }, { "source_name": "IRON VIKING", "description": "(Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" }, { "source_name": "US District Court Indictment GRU Oct 2018", "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.", "url": "https://www.justice.gov/opa/page/file/1098481/download" }, { "source_name": "Dragos ELECTRUM", "description": "Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.", "url": "https://www.dragos.com/resource/electrum/" }, { "source_name": "F-Secure BlackEnergy 2014", "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" }, { "source_name": "iSIGHT Sandworm 2014", "description": "Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html" }, { "source_name": "CrowdStrike VOODOO BEAR", "description": "Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.", "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/" }, { "source_name": "Microsoft Prestige ransomware October 2022", "description": "MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.", "url": "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" }, { "source_name": "InfoSecurity Sandworm Oct 2014", "description": "Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017.", "url": "https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/" }, { "source_name": "NCSC Sandworm Feb 2020", "description": "NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.", "url": "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory" }, { "source_name": "USDOJ Sandworm Feb 2020", "description": "Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020.", "url": "https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html" }, { "source_name": "US District Court Indictment GRU Unit 74455 October 2020", "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", "url": "https://www.justice.gov/opa/press-release/file/1328521/download" }, { "source_name": "Secureworks IRON VIKING ", "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.", "url": "https://www.secureworks.com/research/threat-profiles/iron-viking" }, { "source_name": "UK NCSC Olympic Attacks October 2020", "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.", "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_domains": [ "ics-attack", "enterprise-attack", "mobile-attack" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-13T19:30:41.131Z", "name": "Application Vetting", "description": "Application vetting report generated by an external cloud service.", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_collection_layers": [ "Report" ], "type": "x-mitre-data-source", "id": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203", "created": "2023-03-13T19:30:41.131Z", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0041", "external_id": "DS0041" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-13T19:36:25.108Z", "name": "User Interface", "description": "Visual activity on the device that could alert the user to potentially malicious behavior.", "x_mitre_platforms": [ "Android", "iOS" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "mobile-attack" ], "x_mitre_version": "1.0", "x_mitre_collection_layers": [ "Device" ], "type": "x-mitre-data-source", "id": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8", "created": "2023-03-13T19:36:25.108Z", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0042", "external_id": "DS0042" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-04-20T18:38:26.515Z", "name": "Process", "description": "Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)", "x_mitre_platforms": [ "Linux", "Windows", "macOS", "Android", "iOS" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ], "x_mitre_version": "1.1", "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)" ], "x_mitre_collection_layers": [ "Host" ], "type": "x-mitre-data-source", "id": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0009", "external_id": "DS0009" }, { "source_name": "Microsoft Processes and Threads", "description": "Microsoft. (2018, May 31). Processes and Threads. Retrieved September 28, 2021.", "url": "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-04-20T18:38:40.409Z", "name": "Sensor Health", "description": "Information from host telemetry providing insights about system status, errors, or other notable functional activity", "x_mitre_platforms": [ "Linux", "Windows", "macOS", "Android", "iOS" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ], "x_mitre_version": "1.1", "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)" ], "x_mitre_collection_layers": [ "Host" ], "type": "x-mitre-data-source", "id": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0013", "external_id": "DS0013" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-04-20T18:38:13.356Z", "name": "Network Traffic", "description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)", "x_mitre_platforms": [ "IaaS", "Linux", "Windows", "macOS", "Android", "iOS" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ], "x_mitre_version": "1.1", "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)", "ExtraHop" ], "x_mitre_collection_layers": [ "Cloud Control Plane", "Host", "Network" ], "type": "x-mitre-data-source", "id": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0029", "external_id": "DS0029" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-04-20T18:38:00.625Z", "name": "Command", "description": "A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX)", "x_mitre_platforms": [ "Containers", "Linux", "Network", "Windows", "macOS", "Android", "iOS" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "enterprise-attack", "mobile-attack" ], "x_mitre_version": "1.1", "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)", "Austin Clark, @c2defense" ], "x_mitre_collection_layers": [ "Container", "Host" ], "type": "x-mitre-data-source", "id": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0017", "external_id": "DS0017" }, { "source_name": "Confluence Linux Command Line", "description": "Confluence Support. (2021, September 8). How to enable command line audit logging in linux. Retrieved September 23, 2021.", "url": "https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html" }, { "source_name": "Audit OSX", "description": "Gagliardi, R. (n.d.). Audit in a OS X System. Retrieved September 23, 2021.", "url": "https://www.scip.ch/en/?labs.20150108" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "type": "identity", "identity_class": "organization", "created": "2017-06-01T00:00:00.000Z", "modified": "2017-06-01T00:00:00.000Z", "name": "The MITRE Corporation" }, { "definition": { "statement": "Copyright 2015-2023, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation." }, "id": "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168", "type": "marking-definition", "created": "2017-06-01T00:00:00.000Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "definition_type": "statement", "x_mitre_attack_spec_version": "2.1.0" } ], "spec_version": "2.0" }