{
"type": "bundle",
"id": "bundle--c0c5fc01-4a76-4475-8df2-3ba34ad9e12b",
"spec_version": "2.1",
"objects": [
{
"type": "x-mitre-collection",
"id": "x-mitre-collection--dac0d2d7-8653-445c-9bff-82f934c1e858",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"name": "Mobile ATT&CK",
"x_mitre_version": "1.0",
"description": "ATT&CK for Mobile is a matrix of adversary behavior against mobile devices (smartphones and tablets running the Android or iOS/iPadOS operating systems). ATT&CK for Mobile builds upon NIST's Mobile Threat Catalogue and also contains a separate matrix of network-based effects, which are techniques that an adversary can employ without access to the mobile device itself.",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-01-17T12:56:55.080Z",
"modified": "2018-01-17T12:56:55.080Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contents": [
{
"object_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--a0464539-e1b7-4455-a355-12495987c300",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--393e8c12-a416-4575-ba90-19cc85656796",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--b6d3657a-2d6a-400f-8b7e-4d60391aa1f7",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--c8770c81-c29f-40d2-a140-38544206b2b4",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--2074b2ad-612e-4758-adce-7901c1b49bbc",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--c80a6bef-b3ce-44d0-b113-946e93124898",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--28e39395-91e7-4f02-b694-5e079c964da9",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--d89c132d-7752-4c7f-9372-954a71522985",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--56660521-6db4-4e5a-a927-464f22954b7c",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "course-of-action--d2a199d2-dfea-4d0c-987d-6195ed17be9c",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--55f12292-dc9d-4bfd-9de9-2d07cd67b044",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--077da2d7-0913-4040-b25e-2f6913ed4ea0",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--4a697724-4457-436b-97ad-9d6f445fb6b0",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--b2c289bf-e981-4bcd-87dd-b6c0680557e9",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--3c2d7ccc-5980-4012-8aab-64979bcd0ea6",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--49fe6eac-73a7-4147-9121-85fb71fca4ed",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--8e49feb1-e401-4e63-acfa-7f8b9a8ca026",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--85328449-c231-444d-905a-2988c14d3e82",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--93a524e2-cb17-4b40-8640-a03949e89775",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--b28c1e81-4f78-4e40-9899-2872cdbcceba",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--69d6f3fc-17ea-4a32-b4dd-a006c75362d6",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--e183af70-44d5-4d56-9aad-753eb4c1c964",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--c761ed82-24cc-4c40-94ef-c4d0f4d1cd7a",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--9e83607e-2936-4f25-b6d2-c357846840f3",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--b23ec81b-8610-4bb0-a837-2c316c67fa79",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--fab8c40d-b934-4ee0-8e83-f017af2e347a",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--be2895e2-7e1d-4467-8b6a-ac06b17ce0bb",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--92333055-88ce-4db2-a589-e0e1e617d8e0",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--3ebcd3d8-dd8e-4cc9-8087-ce9e93df6f56",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--7ec08d5c-73a1-4444-bd27-892090d6b2e3",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--5b9a54cd-4925-4a2b-ad61-27d70e673093",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--8e94da58-86b7-4a45-886e-6da58828eacd",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--0673ca70-d403-4e49-8e18-de4bf8ab700c",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--bf859944-d097-45ba-ae01-2f85a00cad1f",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--cdb1ed75-d8a5-4088-b282-0b85588bbc8c",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--b104c62f-771c-46c5-afc4-a964a94cea50",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--5b14149e-09f1-4d38-82bc-0ff3cff8b650",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--2388ba94-8e49-40d0-a697-eea948e6cfb6",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--09fa9342-34cb-4f0d-8cdf-df4d51d0ae12",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--86696d32-0af7-4308-b1fe-52306b9f839a",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--1a62c9c7-2d3b-4ee7-87d1-d8774050c566",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--ba556d98-4ff2-43a4-bb93-52f99265ff99",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--a4b53160-fdb8-4cab-90cc-ad12ab13a8a0",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--f6fa0801-418e-43e5-bfae-332e909624fc",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--16f55053-285d-411d-881c-6f8c1bdef8d7",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--05c87985-4f8a-4a38-b1cd-ab01f0a628ed",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--718949aa-6841-48d2-9343-f01be0aa32c1",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--64a6fb42-65ce-4160-a5c8-ac176f60a2ae",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--2f5da3a1-19da-421f-be48-cfdcd3c79be1",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--fa7b38df-eedc-469b-bcec-facdd8365231",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--15a2702e-4e49-4255-909d-bbf94abfd1d7",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--690111d3-c281-4d55-a7ed-73b8dab72a85",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--94a737af-9a72-48f6-a85e-d9d7fa93bfdd",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--b5097495-f417-46ed-88e2-02cba2371936",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--c5b80ca7-eceb-43ea-991e-10af5d9ca4bc",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--047ab474-c4ec-4675-a817-1e0a9f8dd92f",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--ca7c3278-1d12-4e55-b320-39efa5a285db",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--96027d55-0bdb-4f5f-a559-66c93eab3a17",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--5f6f5913-cade-4b14-aa96-5a921b0927a7",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--08e7c0ad-f2d7-472c-97de-3627ca5d2991",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--dc6eb5d7-acef-4eb4-bece-4e8c90c914dc",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--26a9db86-5ecf-400a-bdd9-419448c2f776",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--6f8b3839-ea91-44d5-ba68-b9d1e6076c19",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--6d8ea31a-da35-442a-8e0d-1d0c0dcdf14b",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--a01af4da-0910-4a20-805f-86b3ae1dc046",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--51186ad6-e721-49cf-9cf7-89466d5f29f4",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--00b20e5c-5f52-4a07-bfec-e30872e793e3",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--3230c032-17e0-49f7-b948-c157049aafe2",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--abd2e863-4bd3-4686-b2aa-f8a097a41c99",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--95f4db59-e0b4-4c1b-b888-1fc76b21e8c0",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--a834341f-d909-41e3-adaf-5f3450e4090e",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--7260c8fe-6b3b-48a2-889f-f329fb5b4ef0",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--31942635-81b1-4657-8882-50fb97fae64b",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--c2437c8b-709f-47e8-ae65-21ae48410a9e",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--554ec347-c8b2-43da-876b-36608dcc543d",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--513c05e2-afc6-4d1b-8a8e-6d6935a8626f",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--de1b1f92-c060-4d8c-81bf-465b7fb21be4",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--d22dc053-24a7-4a5b-ae51-8a626569ec9b",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--bebf345c-21d5-410f-9015-90c144161e5d",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--4d2d892c-9d3a-445c-b9bf-1eab45703dcc",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--6bb99599-aa51-4492-9c79-296a772233b4",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--1ed76ca9-0ed6-40f9-89c6-64662fdd447d",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--6eca2456-fdcf-42e9-bcbb-a4c51ce54139",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--37c4a0cf-0552-46fd-b067-419b15833044",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--3a9467d4-09df-4266-ba5a-d40309949e70",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--176ba064-0657-4850-baa3-626bc845efd3",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--69bdeed3-d6a8-4d10-8bf5-44c6cb4392e5",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--a912f528-5218-4e0b-a350-7e9012cccdf3",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--9adde9d7-4ba0-4e35-93ba-1e85e9eb16bc",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--903660e1-3996-4ed2-9e7a-4f8c397a71eb",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--7b899be0-4a9c-4e52-aeab-d8acedfe26d0",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--d98a030f-c551-4fd0-9948-32e1ea01f79c",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--3f3d63f0-1f03-4931-9624-10eaf4b207b4",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--1a493cb6-452f-46ce-a7b4-267eacd5d2ff",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--3baf01c5-591b-43a0-8963-506531313e68",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--aa23a2c6-ed8a-4453-95d1-f9a47e14b0f9",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--6f1cadef-283b-466b-bfa2-0cb51edf88f7",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--74155759-4c76-42d3-b64f-a898f7b582f9",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--50986206-ad56-4dea-baed-846545fb2f5a",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--4cf9511e-da0e-4055-bc8c-56121ae120d2",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--ce6c7f21-91a5-4d63-bd03-a6b57e025afe",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--49f0f7b8-7208-4650-89c2-5d6b1f166113",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--ef7f8f51-6aea-4f5c-9c96-f353a14cf062",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--0977107c-9dd3-4cc5-b769-7e29da9f4bb6",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--aa39b402-7ecc-4057-a989-663887e540e7",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--62480750-2218-4ea0-b168-b9035b9ee998",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--72d7fa07-e559-4e35-b791-64b7bf8a0aef",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--ebdb9385-6311-4532-b021-2da48734aab7",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--8aa790cc-0d42-4114-8cbe-783abc595b8b",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--ee0afd88-a0fc-4b1d-b047-9b9bf04d36fe",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--6407562a-d297-43cd-95df-aec9cf501ce2",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--8ccfab20-58cf-4af6-9fb0-6bbf59258ac9",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--b4e055cf-f77e-4888-9610-6cd328e035c8",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--2bd272ca-8a14-42cd-9664-6cc6f7451e42",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--4caf3ad1-6ef8-42de-851d-bdc3a22977b3",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--d6930d98-f8a2-4556-baa4-95275d3fa23d",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--6c0491ee-53e0-44ae-bcd0-253fc47de61e",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--024f9ee4-cb7d-49f4-b180-ad1e5e168a4c",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--8f7c14bf-4c0f-4e54-99c2-41b511220b33",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--0818895a-0d6d-47cc-ad34-a09bdb76a81b",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--69efe716-affe-419e-ac06-924d2e416695",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--634e2691-341f-4e5b-83e7-e28369d88c64",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--b2b31911-5b7e-4df3-89c6-00b5b372fb4f",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--4df969b3-f5a0-4802-b87e-a458e3e439ed",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--cda9f3cf-01e4-41b3-8e45-4dda9fe5eb30",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--aaf0ae2f-07ea-479e-8419-e524e23dbaef",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--3a446bee-007b-4b1f-849e-60e9d39c2e92",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--095f71ad-9a93-45ce-9b77-a101f6c894de",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--dfc1f490-f8b9-4287-8c79-652d42f0a64a",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--465ff71b-2b1b-43b6-ab78-afb273d956d2",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--b1f2770e-11f0-429c-9bac-9fa5bc5859b0",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--3e3cad6c-dd73-43c9-bf99-d4796ba97fb1",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--f2e23cb7-7bac-4938-91ea-7dd42b41ba29",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--d792bffd-6745-4da6-a70f-2d5843ef05ca",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--18d3f4c7-2888-4d27-9ac7-b7ade1a1c04c",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--a8079e6a-ef87-4e3b-9f71-cf1ea2360892",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--e87aa0d6-241f-4f72-bdb6-54e8d5584ae2",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--8ed14c81-0b30-4bfc-8552-439aa0e920c3",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--290a627d-172d-494d-a0cc-685f480a1034",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--980c49f8-d991-4e1f-8feb-6173e3dfca1f",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--fa1da6db-da32-45d2-98a8-6bbe153166da",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--b4180067-52b6-4109-91df-52fd9a7ed2e8",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--aaf55dd1-33df-4f02-8025-eaae01f30b33",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--fb371daf-2771-488f-90ca-5e08b9a36c5c",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--cfa1d194-7401-46ba-bfed-5f311aeb22d3",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--2bedbf86-2ef0-45bf-950d-b9d072c03bdc",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--68e5789c-9f60-421e-9c79-fae207a29e83",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--9c7c302a-d5ba-4fc9-a4e5-e865fd7fb708",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--83991b5c-59b9-4fe5-9ef2-39c6ddc8b835",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--c83c84e8-a556-4efe-ae24-75970ee8ad4b",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--7c966cde-22fd-4eb2-b518-3e37a8fad88b",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--3faed885-6a3d-444f-8e57-fd8818abb1cc",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--f14af74f-fb6b-480f-91de-d755c89960ce",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--706c698c-aa8d-4fac-a6c1-2e047c3f965c",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--78cc0d6d-6347-45a4-a18c-ca76150aa7a9",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--0e9edc13-7af7-43c4-8ec2-636b1f8cb7f1",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--6086e1e2-1b39-4ff2-910e-4a4eb86d57b7",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--69bb264a-3f44-4132-9248-dd80a9f5efa2",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--e2ee6825-43c2-441f-ba96-404a330a9059",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--7e4be913-d916-4a79-ac00-262a49afe070",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--bee6407a-1f05-4f91-b6e7-a8f8b58fa421",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--85c7e956-3ce5-4495-b52e-385ae2ee4f9b",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--ed06f5dc-9d02-4896-a0a3-2f457c64f125",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--81db3270-4cb8-4982-8ff8-c28a874e8421",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--5f82db63-d7c2-43c7-a056-3cf718201ced",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--910009da-65c0-4e6a-aeb2-386c643d1c0e",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--c65661a6-6047-4901-ac2c-3ca4b1bbbb28",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--69de3f7e-faa7-4342-b755-4777a68fd89b",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--b7282bf9-63f8-49ad-8ee0-f2ad523a367e",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--aa8e45c2-4276-451b-b1eb-59c396bf720a",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--a25d58af-dbb3-4025-b91d-898c6adffcb3",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--42ae42eb-ea75-457a-bf39-4ea04304dd0b",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--ac523dfb-36be-4402-acf2-abe98e183eef",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--d87b468e-f610-4e95-8dfb-8cf029f0e891",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--f947d845-4d70-41f3-ae3c-18ea8b44e667",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--b263e4e9-972d-4ba7-8be8-e55eb6a483c0",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--9f737872-3503-4ef4-b575-ab6037b33a98",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--b596251a-73db-4e53-a04d-51be783b0241",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--6fce6a21-ab9b-44a5-be20-9b631109487b",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--5a6df1dd-9aa4-4f67-9195-8c3a9f5c0f7a",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--721cc30c-74cf-4eed-89a8-7a8e63e6c0e1",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--ffc24804-42db-4be1-a418-7f5ab9de453c",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--b67f04d9-1cbd-49b4-9ec3-a33a41ac42ab",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--51757971-17ac-40c3-bae7-78365579db49",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--373f33be-9b40-44f5-bfd3-db2a9f5fa72c",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--27247071-356b-4b5f-bc8f-6436a3fec095",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--4454a696-7619-40ee-971b-cbf646e4ee61",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--789cb76e-27b0-4762-a2f7-3ff32ce0762d",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--450a1b75-efa5-4d7a-bcd5-d3e63723b408",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--4f2ae057-ef0b-4995-b24d-348a76a74a4f",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--b7652f27-1cf6-4310-bf6b-5fb99c4fd725",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--69718f1d-7761-41ae-b9d0-12c45f6b4ac4",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--94040d2e-3f60-423c-8a93-a83b61cafe7d",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--63e67cba-4eae-4495-8897-2610103a0c41",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--7d481598-ece7-469c-b231-619a804c25e5",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--34351abd-1f58-420a-a893-ad822839815d",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--7af7d094-3a49-4e5e-99d0-385c79f95f06",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--7baa3cab-c4f8-4b91-a6c3-189ad7a6416c",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--a290a8ca-e650-456c-b33e-03343fe5ea4e",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--9e77b80d-4981-4908-9203-c4e7cea5b5d8",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--638f3d4b-f1d4-4c61-91a0-7c125ef8437a",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--f6098dca-3a9e-4991-8d51-1310b12161b6",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--db3fc82d-d353-438d-aa5e-9b5e7e60f0ac",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--0cae6859-d7d1-483b-b473-4f32084938a9",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--d7ae7fb1-c363-4969-a4af-e2dd44a3c064",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--3d24d88e-a0ab-42c6-8e8f-11f721082bba",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--19df76ee-fa85-43cf-96ce-422d46f29a13",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--3f973c3c-45f8-432a-9859-e8749f2e7418",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--4f366c8c-9c70-44ed-baa8-d433d5dbfe49",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--e84ad4b0-9f7a-48a5-89ae-33804b11eb56",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--f5fab17b-43e7-46ff-bdea-eb8c52a0c6c3",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--a7b276ac-6f07-4d1f-8d24-dc5682acf62d",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--0e81eb1d-cd1e-43e1-8c09-03927681ce76",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--8d027310-93a0-4046-b7ad-d1f461f30838",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--9e3921a8-a9e1-48c4-9b61-ff190c104f63",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--4088b31b-d542-4935-84b4-82b592159591",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--14143e21-51bf-4fa7-a949-d22a8271f590",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--2065382f-45ae-4b9a-a77c-027ecd6c1735",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--da4296d7-5fdb-45b6-9791-b023d634c08d",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--8cb42e3d-69f4-4b0d-98c9-0bb7560947c1",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--e3a03a80-0e31-43ef-b802-d6f65c44896d",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--29dc105c-0b1b-4645-85ef-436c096bd3e2",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--4d7e937d-7ea1-49cb-939c-5244815e51d7",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--bb3be217-08e2-4bb0-9f1a-d8e538010451",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--3c291ee5-1782-4e5b-8131-5188c7388f45",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--18afa4ad-4fd7-47ad-acdb-3b298b640d3c",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--f0851531-e554-4658-920c-f2342632c19a",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--ebc0aa93-93ac-4b7e-ad87-9d5743a09c8e",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--bf2ea132-c8f3-4ea0-8c4c-bdc95923c3b1",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--bc4e848a-adb7-40a2-94a1-d5ab9854ff0f",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--5012c647-9b58-4a4f-b64f-468c9b76a60c",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--e0ebf0cd-9244-4cef-9171-128a12b87b58",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--0008005f-ca51-47c3-8369-55ee5de1c65a",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--0f7e7c29-43f0-4aff-ae83-dfff331915ef",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--319d46b5-de41-4f23-9001-2fa75f954720",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--54151897-cc7e-4f92-af50-bed41ea78d92",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--2cdd5474-620c-499e-8b9c-835505febc2c",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--9d7ac1b2-3fa9-4236-b72d-5565f0c66eab",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--0791f28b-d06f-4fee-9cdb-85a6fd2eed61",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--b3bb33bf-9034-4d5c-8ea0-31d3bbd12b6b",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--efcfe1a3-3351-4b4f-ae36-101f103b4798",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--9e66ec3b-cdd6-461c-bd84-e75316818e15",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--1cca5e17-80ae-4b6e-8919-2768153aa966",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--1218ed50-bd44-4f37-baba-1aae998b5a1f",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--833b4c44-7370-4b27-b9b2-a058c27dcf8c",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--70f8cbed-b20d-4ff2-ad02-8d78e7d49159",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--13efc415-5e17-4a16-81c2-64e74815907f",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--2de76a24-ec87-4808-b0d3-b84d318ac22c",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--8e4b2305-1280-4456-8ec7-93c66da5c674",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--c5d6fb25-1782-44c4-b3ae-0cd72e8a6d37",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--eb686f55-85de-42d8-a5a1-69a78af0f1f3",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--d54bdaff-8eb8-4a02-9f64-bc33c892e9d1",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "relationship--40581c90-e948-4e91-8530-a9bc59cce9d7",
"object_modified": "2018-01-17T12:56:55.080Z"
},
{
"object_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_modified": "2017-06-01T00:00:00.000Z"
}
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:08.613Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Abuse Accessibility Features",
"description": "A malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions, as demonstrated in a proof of concept created by Skycure (Citation: Skycure-Accessibility).\n\nPlatforms: Android",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1056",
"external_id": "MOB-T1056"
},
{
"source_name": "Skycure-Accessibility",
"description": "Yair Amit. (2016, March 3). \u201cAccessibility Clickjacking\u201d \u2013 The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.",
"url": "https://www.skycure.com/blog/accessibility-clickjacking/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:29.774Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Abuse Device Administrator Access to Prevent Removal",
"description": "A malicious application can request Device Administrator privileges. If the user grants the privileges, the application can take steps to make its removal more difficult.\n\nDetection: The device user can view a list of apps with Device Administrator privilege in the device settings.\n\nPlatforms: Android",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "persistence"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1004",
"external_id": "MOB-T1004"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html",
"external_id": "APP-22"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:16.288Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Abuse of iOS Enterprise App Signing Key",
"description": "An adversary could abuse an iOS enterprise app signing key (intended for enterprise in-house distribution of apps) to sign malicious iOS apps so that they can be installed on iOS devices without the app needing to be published on Apple's App Store. For example, Xiao describes use of this technique in (Citation: Xiao-iOS).\n\nDetection: iOS 9 and above typically requires explicit user consent before allowing installation of applications signed with enterprise distribution keys rather than installed from Apple's App Store.\n\nPlatforms: iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "app-delivery-via-other-means"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1048",
"external_id": "MOB-T1048"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-23.html",
"external_id": "ECO-23"
},
{
"source_name": "Xiao-iOS",
"description": "Claud Xiao. (2016, July). Fruit vs Zombies: Defeat Non-jailbroken iOS Malware. Retrieved December 9, 2016.",
"url": "http://www.slideshare.net/Shakacon/fruit-vs-zombies-defeat-nonjailbroken-ios-malware-by-claud-xiao"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:20.727Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Access Calendar Entries",
"description": "An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.\n\nDetection: On both Android (6.0 and up) and iOS, the user can view which applications have permission to access calendar information through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1038",
"external_id": "MOB-T1038"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
"external_id": "APP-13"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:11.116Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Access Call Log",
"description": "On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.\n\nOn iOS, applications do not have access to the call log, so privilege escalation would be required in order to access the data.\n\nDetection: On Android 6.0 and up, the user can view which applications have permission to access call log information through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1036",
"external_id": "MOB-T1036"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
"external_id": "APP-13"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:11.535Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Access Contact List",
"description": "An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.\n\nDetection: On both Android (6.0 and up) and iOS, the user can view which applications have permission to access contact list information through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1035",
"external_id": "MOB-T1035"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
"external_id": "APP-13"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:17.176Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Access Sensitive Data in Device Logs",
"description": "On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.\n\nPlatforms: Android",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1016",
"external_id": "MOB-T1016"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-3.html",
"external_id": "APP-3"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
"external_id": "APP-13"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:15.402Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Access Sensitive Data or Credentials in Files",
"description": "An adversary could attempt to read files that contain sensitive data or credentials (e.g., private keys, passwords, access tokens). This technique requires either escalated privileges or for the targeted app to have stored the data in an insecure manner (e.g., with insecure file permissions or in an insecure location such as an external storage directory).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1012",
"external_id": "MOB-T1012"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html",
"external_id": "AUT-0"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:27.307Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Alternate Network Mediums",
"description": "Adversaries can communicate using cellular networks rather than enterprise Wi-Fi in order to bypass enterprise network monitoring systems. Adversaries may also communicate using other non-Internet Protocol mediums such as SMS, NFC, or Bluetooth to bypass network monitoring systems.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "command-and-control"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "exfiltration"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1041",
"external_id": "MOB-T1041"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html",
"external_id": "APP-30"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:32.008Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Android Intent Hijacking",
"description": "A malicious app can register to receive intents meant for other applications and may then be able to receive sensitive values such as OAuth authorization codes as described in (Citation: IETF-PKCE).\n\nPlatforms: Android",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1019",
"external_id": "MOB-T1019"
},
{
"source_name": "IETF-PKCE",
"description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.",
"url": "https://tools.ietf.org/html/rfc7636"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:30.127Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "App Auto-Start at Device Boot",
"description": "An Android application can listen for the BOOT_COMPLETED broadcast, ensuring that the app's functionality will be activated every time the device starts up without having to wait for the device user to manually start the app.\n\n (Citation: Zhou) and Jiang (Citation: Zhou) analyzed 1260 Android malware samples belonging to 49 families of malware, and determined that 29 malware families and 83.3% of the samples listened for BOOT_COMPLETED.\n\nPlatforms: Android",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "persistence"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1005",
"external_id": "MOB-T1005"
},
{
"source_name": "Zhou",
"description": "Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016.",
"url": "http://ieeexplore.ieee.org/document/6234407"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:10.699Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "App Delivered via Email Attachment",
"description": "The application is delivered as an email attachment.\n\nDetection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices. Enterprise email security solutions can identify the presence of Android or iOS application packages within email messages.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "app-delivery-via-other-means"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1037",
"external_id": "MOB-T1037"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html",
"external_id": "AUT-9"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html",
"external_id": "ECO-13"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:11.861Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "App Delivered via Web Download",
"description": "The application is downloaded from an arbitrary web site. A link to the application's download URI may be sent in an email or SMS, placed on another web site that the target is likely to view, or sent via other means (such as QR code).\n\nDetection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "app-delivery-via-other-means"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1034",
"external_id": "MOB-T1034"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html",
"external_id": "AUT-9"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html",
"external_id": "ECO-21"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:28.067Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Application Discovery",
"description": "Adversaries may seek to identify all applications installed on the device. One use case for doing so is to identify the presence of endpoint security applications that may increase the adversary's risk of detection. Another use case is to identify the presence of applications that the adversary may wish to target.\n\nOn Android, applications can use methods in the PackageManager class (Citation: Android-PackageManager) to enumerate other apps installed on device, or an entity with shell access can use the pm command line tool.\n\nOn iOS, apps can use private API calls to obtain a list of other apps installed on the device as described by Kurtz (Citation: Kurtz-MaliciousiOSApps), however use of private API calls will likely prevent the application from being distributed through Apple's App Store.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "discovery"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1021",
"external_id": "MOB-T1021"
},
{
"source_name": "Android-PackageManager",
"description": "Android. (n.d.). PackageManager. Retrieved December 21, 2016.",
"url": "https://developer.android.com/reference/android/content/pm/PackageManager.html"
},
{
"source_name": "Kurtz-MaliciousiOSApps",
"description": "Andreas Kurtz. (2014, September 18). Malicious iOS Apps. Retrieved December 21, 2016.",
"url": "https://andreas-kurtz.de/2014/09/malicious-ios-apps/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--a0464539-e1b7-4455-a355-12495987c300",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:13.625Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Attack PC via USB Connection",
"description": "With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC. Wang and Stavrou (Citation: Wang-ExploitingUSB) and Kamkar (Citation: ArsTechnica-PoisonTap) describe this technique. This technique has been demonstrated on Android, and we are unaware of any demonstrations on iOS.\n\nPlatforms: Android",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "lateral-movement"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1030",
"external_id": "MOB-T1030"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html",
"external_id": "PHY-2"
},
{
"source_name": "Wang-ExploitingUSB",
"description": "Z. Wang and A. Stavrou. (2010, December 6-10). Exploiting smart-phone USB connectivity for fun and profit. Retrieved December 22, 2016.",
"url": "http://dl.acm.org/citation.cfm?id=1920314"
},
{
"source_name": "ArsTechnica-PoisonTap",
"description": "Dan Goodin. (2016, November 16). Meet PoisonTap, the $5 tool that ransacks password-protected computers. Retrieved December 22, 2016.",
"url": "http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:24.069Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Biometric Spoofing",
"description": "An adversary could attempt to spoof a mobile device's biometric authentication mechanism, for example by providing a fake fingerprint as described by SRLabs in (Citation: SRLabs-Fingerprint).\n\niOS partly mitigates this attack by requiring the device passcode rather than a fingerprint to unlock the device after every device restart and after 48 hours since the device was last unlocked (Citation: Apple-TouchID).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "exploit-via-physical-access"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1063",
"external_id": "MOB-T1063"
},
{
"source_name": "SRLabs-Fingerprint",
"description": "SRLabs. (n.d.). Fingerprints are not fit for secure device unlocking. Retrieved December 23, 2016.",
"url": "https://srlabs.de/bites/spoofing-fingerprints/"
},
{
"source_name": "Apple-TouchID",
"description": "Apple. (2015, November 3). About Touch ID security on iPhone and iPad. Retrieved December 23, 2016.",
"url": "https://support.apple.com/en-us/HT204587"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:19.996Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Capture Clipboard Data",
"description": "A malicious app or other attack vector could capture sensitive data stored in the device clipboard, for example passwords being copy-and-pasted from a password manager app.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1017",
"external_id": "MOB-T1017"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-35.html",
"external_id": "APP-35"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:15.920Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Capture SMS Messages",
"description": "A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.\n\nOn Android, a malicious application must request and obtain permission (either at app install time or run time) in order to receive SMS messages. Alternatively, a malicious application could attempt to perform an operating system privilege escalation attack to bypass the permission requirement.\n\nOn iOS, applications cannot access SMS messages in normal operation, so an adversary would need to attempt to perform an operating system privilege escalation attack to potentially be able to access SMS messages.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1015",
"external_id": "MOB-T1015"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:16.650Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Commonly Used Port",
"description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as\n* TCP:80 (HTTP)\n* TCP:443 (HTTPS)\n* TCP:25 (SMTP)\n* TCP/UDP:53 (DNS)\n\nThey may use the protocol associated with the port or a completely different protocol.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "command-and-control"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "exfiltration"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1039",
"external_id": "MOB-T1039"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:26.473Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Detect App Analysis Environment",
"description": "An adversary could evade app vetting techniques by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis.\n\nDiscussion of general Android anti-analysis techniques can be found in (Citation: Petsas). Discussion of Google Play Store-specific anti-analysis techniques can be found in (Citation: Oberheide-Bouncer), (Citation: Percoco-Bouncer).\n\n (Citation: Wang) presents a discussion of iOS anti-analysis techniques.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "app-delivery-via-authorized-app-store"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1043",
"external_id": "MOB-T1043"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html",
"external_id": "APP-20"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html",
"external_id": "APP-21"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-22.html",
"external_id": "ECO-22"
},
{
"source_name": "Petsas",
"description": "Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, Sotiris Ioannidis. (2014, April). Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware. Retrieved December 12, 2016.",
"url": "http://dl.acm.org/citation.cfm?id=2592796"
},
{
"source_name": "Oberheide-Bouncer",
"description": "Jon Oberheide and Charlie Miller. (2012). Dissecting the Android Bouncer. Retrieved December 12, 2016.",
"url": "https://jon.oberheide.org/files/summercon12-bouncer.pdf"
},
{
"source_name": "Percoco-Bouncer",
"description": "Nicholas J. Percoco and Sean Schulte. (2012). Adventures in BouncerLand. Retrieved December 12, 2016.",
"url": "https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH%20US%2012%20Percoco%20Adventures%20in%20Bouncerland%20WP.pdf"
},
{
"source_name": "Wang",
"description": "Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013, August). Jekyll on iOS: When Benign Apps Become Evil. Retrieved December 9, 2016.",
"url": "https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang%20tielei"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:28.456Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Device Type Discovery",
"description": "On Android, device type information is accessible to apps through the android.os.Build class (Citation: Android-Build). Device information could be used to target privilege escalation exploits.\n\nPlatforms: Android",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "discovery"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1022",
"external_id": "MOB-T1022"
},
{
"source_name": "Android-Build",
"description": "Android. (n.d.). Build. Retrieved December 21, 2016.",
"url": "https://zeltser.com/third-party-keyboards-security/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:23.652Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Device Unlock Code Guessing or Brute Force",
"description": "An adversary could make educated guesses of the device lock screen's PIN/password (e.g., commonly used values, birthdays, anniversaries) or attempt a dictionary or brute force attack against it. Brute force attacks could potentially be automated (Citation: PopSci-IPBox).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "exploit-via-physical-access"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1062",
"external_id": "MOB-T1062"
},
{
"source_name": "PopSci-IPBox",
"description": "Dan Moren. (2015, March 18). This Box Can Figure Out Your 4-Digit iPhone Passcode. Retrieved December 23, 2016.",
"url": "http://www.popsci.com/box-can-figure-out-your-4-digit-iphone-passcode"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:14.003Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Disguise Root/Jailbreak Indicators",
"description": "An adversary could use knowledge of the techniques used by security software to evade detection. For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection as described by (Citation: Rastogi) et al. (Citation: Rastogi). \n\n (Citation: Brodie) (Citation: Brodie) describes limitations of jailbreak/root detection mechanisms.\n\n (Citation: Tan) (Citation: Tan) describes his experience defeating the jailbreak detection used by the iOS version of Good for Enterprise.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1011",
"external_id": "MOB-T1011"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html",
"external_id": "EMM-5"
},
{
"source_name": "Rastogi",
"description": "Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016.",
"url": "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf"
},
{
"source_name": "Brodie",
"description": "Daniel Brodie. (2016). Practical Attacks against Mobile Device Management (MDM). Retrieved December 21, 2016.",
"url": "https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf"
},
{
"source_name": "Tan",
"description": "Vincent Tan. (2016, August). BAD FOR ENTERPRISE: ATTACKING BYOD ENTERPRISE MOBILE SECURITY SOLUTIONS. Retrieved February 4, 2017.",
"url": "http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:21.667Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Downgrade to Insecure Protocols",
"description": "An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate as described in draft NIST SP 800-187 (Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "cellular-network-based"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "general-network-based"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1069",
"external_id": "MOB-T1069"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html",
"external_id": "CEL-3"
},
{
"source_name": "NIST-SP800187",
"description": "Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2016, November). Guide to LTE Security (DRAFT). Retrieved January 20, 2017.",
"url": "http://csrc.nist.gov/publications/drafts/800-187/sp800%20187%20draft.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:14.460Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Download New Code at Runtime",
"description": "An app could download and execute dynamic code (not included in the original application package) after installation to evade static analysis techniques (and potentially dynamic analysis techniques) used for application vetting or application store review (Citation: Poeplau-ExecuteThis). \n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that uses the Android WebView's JavascriptInterface capability (Citation: Bromium-AndroidRCE).\n\nOn iOS, techniques for executing dynamic code downloaded after application installation include JSPatch (Citation: FireEye-JSPatch). (Citation: Wang) et al. describe a related method of constructing malicious logic at app runtime on iOS (Citation: Wang).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1010",
"external_id": "MOB-T1010"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html",
"external_id": "APP-20"
},
{
"source_name": "Poeplau-ExecuteThis",
"description": "Sebastian Poeplau, Yanick Fratantonio, Antonio Bianchi, Christopher Kruegel, Giovanni Vigna. (2014, February). Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications. Retrieved December 21, 2016.",
"url": "https://www.internetsociety.org/sites/default/files/10%205%200.pdf"
},
{
"source_name": "Bromium-AndroidRCE",
"description": "Tom Sutcliffe. (2014, July 31). Remote code execution on Android devices. Retrieved December 9, 2016.",
"url": "https://labs.bromium.com/2014/07/31/remote-code-execution-on-android-devices/"
},
{
"source_name": "FireEye-JSPatch",
"description": "Jing Xie, Zhaofeng Chen, Jimmy Su. (2016, January 27). HOT OR NOT? THE BENEFITS AND RISKS OF IOS REMOTE HOT PATCHING. Retrieved December 9, 2016.",
"url": "https://www.fireeye.com/blog/threat-research/2016/01/hot%20or%20not%20the%20bene.html"
},
{
"source_name": "Wang",
"description": "Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013, August). Jekyll on iOS: When Benign Apps Become Evil. Retrieved December 9, 2016.",
"url": "https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang%20tielei"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--393e8c12-a416-4575-ba90-19cc85656796",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:26.104Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Eavesdrop on Insecure Network Communication",
"description": "If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication. For example, He et al. (Citation: mHealth) describe numerous healthcare-related applications that did not properly protect network communication.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "general-network-based"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1042",
"external_id": "MOB-T1042"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html",
"external_id": "APP-0"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html",
"external_id": "APP-1"
},
{
"source_name": "mHealth",
"description": "D. He et al.. (2014). Security Concerns in Android mHealth Apps. Retrieved December 24, 2016.",
"url": "https://experts.illinois.edu/en/publications/security-concerns-in-android-mhealth-apps"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:10.285Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Encrypt Files for Ransom",
"description": "An adversary may encrypt files stored on the mobile device to prevent the user from accessing them, only unlocking access to the files after a ransom is paid. Without escalated privileges, the adversary is generally limited to only encrypting files in external/shared storage locations. This technique has been demonstrated on Android, and we are unaware of any demonstrated use on iOS.\n\nPlatforms: Android",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "effects"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1074",
"external_id": "MOB-T1074"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html",
"external_id": "APP-28"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:07.149Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Exploit Baseband Vulnerability",
"description": "A message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi or other) to the mobile device could exploit a vulnerability in code running on the device.\n\nD. Komaromy and N. Golde demonstrated baseband exploitation of a Samsung mobile device at the PacSec 2015 security conference (Citation: Register-BaseStation).\n\nWeinmann described and demonstrated \"the risk of remotely exploitable memory corruptions in cellular baseband stacks.\" (Citation: Weinmann-Baseband)\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "exploit-via-cellular-network"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1058",
"external_id": "MOB-T1058"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-18.html",
"external_id": "STA-18"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-19.html",
"external_id": "STA-19"
},
{
"source_name": "Register-BaseStation",
"description": "D. Pauli. (2015, November 12). Samsung S6 calls open to man-in-the-middle base station snooping. Retrieved December 23, 2016.",
"url": "http://www.theregister.co.uk/2015/11/12/mobile%20pwn2own1/"
},
{
"source_name": "Weinmann-Baseband",
"description": "R. Weinmann. (2012, August 6-7). Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks. Retrieved December 23, 2016.",
"url": "https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:13.259Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Exploit Enterprise Resources",
"description": "Adversaries may attempt to exploit enterprise servers, workstations, or other resources over the network. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "lateral-movement"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1031",
"external_id": "MOB-T1031"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-32.html",
"external_id": "APP-32"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:29.405Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Exploit OS Vulnerability",
"description": "A malicious app can exploit unpatched vulnerabilities in the operating system to obtain escalated privileges.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "privilege-escalation"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1007",
"external_id": "MOB-T1007"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html",
"external_id": "APP-26"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:06.524Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"description": "An adversary could exploit signaling system vulnerabilities to redirect calls or text messages to a phone number under the attacker's control. The adversary could then act as a man-in-the-middle to intercept or manipulate the communication. These issues are discussed in (Citation: Engel-SS7), (Citation: Engel-SS7)-2008, (Citation: 3GPP-Security), (Citation: Positive-SS7), as well as in a report from the Communications, Security, Reliability, and Interoperability Council (CSRIC) (Citation: CSRIC5-WG10-FinalReport).\n\nDetection: Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation as described by the CSRIC (Citation: CSRIC5-WG10-FinalReport). The CSRIC also suggests threat information sharing between telecommunications industry members.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "cellular-network-based"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1052",
"external_id": "MOB-T1052"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-37.html",
"external_id": "CEL-37"
},
{
"source_name": "Engel-SS7",
"description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016.",
"url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf"
},
{
"source_name": "3GPP-Security",
"description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016.",
"url": "http://www.3gpp.org/ftp/tsg%20sa/wg3%20security/%20specs/33900-120.pdf"
},
{
"source_name": "Positive-SS7",
"description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016.",
"url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf"
},
{
"source_name": "CSRIC5-WG10-FinalReport",
"description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.",
"url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:09.864Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Exploit SS7 to Track Device Location",
"description": "An adversary could exploit signaling system vulnerabilities to track the location of mobile devices, for example as described in (Citation: Engel-SS7), (Citation: Engel-SS7)-2008, (Citation: 3GPP-Security) and (Citation: Positive-SS7), as well as in a report from the Communications, Security, Reliability, and Interoperability Council (CSRIC) (Citation: CSRIC5-WG10-FinalReport).\n\nDetection: Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation as described by the CSRIC (Citation: CSRIC-WG1-FinalReport). The CSRIC also suggests threat information sharing between telecommunications industry members.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "cellular-network-based"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1053",
"external_id": "MOB-T1053"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html",
"external_id": "CEL-38"
},
{
"source_name": "Engel-SS7",
"description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016.",
"url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf"
},
{
"source_name": "3GPP-Security",
"description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016.",
"url": "http://www.3gpp.org/ftp/tsg%20sa/wg3%20security/%20specs/33900-120.pdf"
},
{
"source_name": "Positive-SS7",
"description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016.",
"url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf"
},
{
"source_name": "CSRIC5-WG10-FinalReport",
"description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.",
"url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
},
{
"source_name": "CSRIC-WG1-FinalReport",
"description": "CSRIC-WG1-FinalReport"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:22.716Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Exploit TEE Vulnerability",
"description": "A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone). The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data (Citation: QualcommKeyMaster). Escalated operating system privileges may be first required in order to have the ability to attack the TEE (Citation: EkbergTEE). If not, privileges within the TEE can potentially be used to exploit the operating system (Citation: laginimaineb-TEE).\n\nPlatforms: Android",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "privilege-escalation"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1008",
"external_id": "MOB-T1008"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html",
"external_id": "APP-27"
},
{
"source_name": "Thomas-TrustZone",
"description": "Josh Thomas and Charles Holmes. (2015, September). An infestation of dragons: Exploring vulnerabilities in the ARM TrustZone architecture. Retrieved December 9, 2016.",
"url": "https://usmile.at/symposium/program/2015/thomas-holmes"
},
{
"source_name": "QualcommKeyMaster",
"description": "laginimaineb. (2016, June). Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption. Retrieved December 9, 2016.",
"url": "https://bits-please.blogspot.in/2016/06/extracting-qualcomms-keymaster-keys.html"
},
{
"source_name": "EkbergTEE",
"description": "Jan-Erik Ekberg. (2015, September 10). Android and trusted execution environments. Retrieved December 9, 2016.",
"url": "https://usmile.at/symposium/program/2015/ekberg"
},
{
"source_name": "laginimaineb-TEE",
"description": "laginimaineb. (2016, May). War of the Worlds - Hijacking the Linux Kernel from QSEE. Retrieved December 21, 2016.",
"url": "http://bits-please.blogspot.co.il/2016/05/war-of-worlds-hijacking-linux-kernel.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:23.233Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Exploit via Charging Station or PC",
"description": "If the mobile device is connected (typically via USB) to a charging station or a PC, for example to charge the device's battery, then a compromised or malicious charging station or PC could attempt to exploit the mobile device via the connection.\n\nKrebs described this technique in (Citation: Krebs-JuiceJacking). Lau et al. (Citation: Lau-Mactans) demonstrated the ability to inject malicious applications into an iOS device via USB. Hay (Citation: IBM-NexusUSB) demonstrated the ability to exploit a Nexus 6 or 6P device over USB and then gain the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "exploit-via-physical-access"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1061",
"external_id": "MOB-T1061"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.html",
"external_id": "PHY-1"
},
{
"source_name": "Krebs-JuiceJacking",
"description": "Brian Krebs. (2011, August 17). Beware of Juice-Jacking. Retrieved December 23, 2016.",
"url": "http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/"
},
{
"source_name": "Lau-Mactans",
"description": "Lau et al.. (2013). Mactans: Injecting Malware Into iOS Devices Via Malicious Chargers. Retrieved December 23, 2016.",
"url": "https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf"
},
{
"source_name": "IBM-NexusUSB",
"description": "Roee Hay. (2017, January 5). Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes. Retrieved January 11, 2017.",
"url": "https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:28.786Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Fake Developer Accounts",
"description": "An adversary could use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. For example, Oberheide and Miller describe use of this technique in (Citation: Oberheide-Bouncer).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "app-delivery-via-authorized-app-store"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1045",
"external_id": "MOB-T1045"
},
{
"source_name": "Oberheide-Bouncer",
"description": "Jon Oberheide and Charlie Miller. (2012). Dissecting the Android Bouncer. Retrieved December 12, 2016.",
"url": "https://jon.oberheide.org/files/summercon12-bouncer.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:21.965Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "File and Directory Discovery",
"description": "On Android, command line tools or the Java file APIs can be used to enumerate file system contents. However, Linux file permissions and SELinux policies generally strongly restrict what can be accessed by apps (without taking advantage of a privilege escalation exploit). The contents of the external storage directory are generally visible, which could present concern if sensitive data is inappropriately stored there.\n\niOS's security architecture generally restricts the ability to perform file and directory discovery without use of escalated privileges.\n\nPlatforms: Android",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "discovery"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1023",
"external_id": "MOB-T1023"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:18.937Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Generate Fraudulent Advertising Revenue",
"description": "An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "effects"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1075",
"external_id": "MOB-T1075"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:30.462Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Insecure Third-Party Libraries",
"description": "Third-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities.\n\nFor example, Ryan Welton of NowSecure identified exploitable remote code execution vulnerabilities in a third-party advertisement library (Citation: NowSecure-RemoteCode). Grace et al. identified security issues in mobile advertisement libraries (Citation: Grace-Advertisement).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "supply-chain"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1028",
"external_id": "MOB-T1028"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html",
"external_id": "APP-6"
},
{
"source_name": "NowSecure-RemoteCode",
"description": "Ryan Welton. (2015, June 15). A Pattern for Remote Code Execution using Arbitrary File Writes and MultiDex Applications. Retrieved December 22, 2016.",
"url": "https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/"
},
{
"source_name": "Grace-Advertisement",
"description": "M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved December 22, 2016.",
"url": "https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:25.740Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Jamming or Denial of Service",
"description": "An attacker could jam radio signals (e.g. Wi-Fi, cellular, GPS) to prevent the mobile device from communicating as described in draft NIST SP 800-187 (Citation: NIST-SP800187).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "cellular-network-based"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "general-network-based"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1067",
"external_id": "MOB-T1067"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html",
"external_id": "CEL-7"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-8.html",
"external_id": "CEL-8"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-5.html",
"external_id": "LPN-5"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/gps-threats/GPS-0.html",
"external_id": "GPS-0"
},
{
"source_name": "NIST-SP800187",
"description": "Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2016, November). Guide to LTE Security (DRAFT). Retrieved January 20, 2017.",
"url": "http://csrc.nist.gov/publications/drafts/800-187/sp800%20187%20draft.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:32.740Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Local Network Configuration Discovery",
"description": "On Android, details of onboard network interfaces are accessible to apps through the java.net. (Citation: NetworkInterface) class (Citation: NetworkInterface). The Android (Citation: TelephonyManager) class can be used to gather related information such as the IMSI, IMEI, and phone number (Citation: TelephonyManager).\n\nPlatforms: Android",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "discovery"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1025",
"external_id": "MOB-T1025"
},
{
"source_name": "NetworkInterface",
"description": "Android. (n.d.). NetworkInterface. Retrieved December 21, 2016.",
"url": "https://developer.android.com/reference/java/net/NetworkInterface.html"
},
{
"source_name": "TelephonyManager",
"description": "Android. (n.d.). TelephonyManager. Retrieved December 21, 2016.",
"url": "https://developer.android.com/reference/android/telephony/TelephonyManager.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:33.574Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Local Network Connections Discovery",
"description": "On Android, applications can use standard APIs to gather a list of network connections to and from the device. For example, the Network Connections app available in the Google Play Store (Citation: ConnMonitor) advertises this functionality.\n\nPlatforms: Android",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "discovery"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1024",
"external_id": "MOB-T1024"
},
{
"source_name": "ConnMonitor",
"description": "Anti Spy Mobile. (2016, March 14). Network Connections. Retrieved December 21, 2016.",
"url": "https://play.google.com/store/apps/details?id=com.antispycell.connmonitor&hl=en"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:12.267Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Location Tracking",
"description": "An adversary could use a malicious or exploited application to surreptitiously track the device's physical location through use of standard operating system APIs.\n\nDetection: On both Android (6.0 and up) and iOS, the user can view which applications have permission to access device location through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1033",
"external_id": "MOB-T1033"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-24.html",
"external_id": "APP-24"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:17.886Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Lock User Out of Device",
"description": "An adversary may seek to lock the legitimate user out of the device, for example until a ransom is paid.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to lock the user out of the device.\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been demonstrated that can lock the user out of the device (Citation: KeyRaider).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "effects"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1049",
"external_id": "MOB-T1049"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html",
"external_id": "APP-28"
},
{
"source_name": "KeyRaider",
"description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:24.488Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Lockscreen Bypass",
"description": "Techniques have periodically been demonstrated that exploit vulnerabilities on Android (Citation: Wired-AndroidBypass), iOS (Citation: Kaspersky-iOSBypass), or other mobile devices to bypass the device lock screen. The vulnerabilities are generally patched by the device/operating system vendor once they become aware of their existence.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "exploit-via-physical-access"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1064",
"external_id": "MOB-T1064"
},
{
"source_name": "Wired-AndroidBypass",
"description": "Andy Greenberg. (2015, September 15). Hack Brief: Emergency Number Hack Bypasses Android Lock Screens. Retrieved December 23, 2016.",
"url": "https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/"
},
{
"source_name": "Kaspersky-iOSBypass",
"description": "Chris Brook. (2016, November 17). iOS 10 Passcode Bypass Can Access Photos, Contacts. Retrieved December 23, 2016.",
"url": "https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:19.682Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Malicious Media Content",
"description": "Content of a media (audio or video) file could be designed to exploit vulnerabilities in parsers on the mobile device, as for example demonstrated by the Android Stagefright vulnerability (Citation: Zimperium-Stagefright).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "exploit-via-internet"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1060",
"external_id": "MOB-T1060"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html",
"external_id": "CEL-22"
},
{
"source_name": "Zimperium-Stagefright",
"description": "Zimperium. (2015, January 27). Experts Found a Unicorn in the Heart of Android. Retrieved December 23, 2016.",
"url": "https://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:08.155Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Malicious SMS Message",
"description": "An SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device. For example, Mulliner and Miller demonstrated such an attack against the iPhone in 2009 as described in (Citation: Forbes-iPhoneSMS).\n\nAn SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser.\n\nAs described by SRLabs in (Citation: SRLabs-SIMCard), vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "exploit-via-cellular-network"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1057",
"external_id": "MOB-T1057"
},
{
"source_name": "Forbes-iPhoneSMS",
"description": "Andy Greenberg. (2009, July 28). How to Hijack 'Every iPhone In The World'. Retrieved December 23, 2016.",
"url": "http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html"
},
{
"source_name": "SRLabs-SIMCard",
"description": "SRLabs. (n.d.). SIM cards are prone to remote hacking. Retrieved December 23, 2016.",
"url": "https://srlabs.de/bites/rooting-sim-cards/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:24.905Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Malicious Software Development Tools",
"description": "As demonstrated by the XcodeGhost attack (Citation: PaloAlto-XcodeGhost1), app developers could be provided with modified versions of software development tools (e.g. compilers) that automatically inject malicious or exploitable code into applications.\n\nDetection: Enterprises could deploy integrity checking software to the computers that they use to develop code to detect presence of unauthorized, modified software development tools.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "supply-chain"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1065",
"external_id": "MOB-T1065"
},
{
"source_name": "PaloAlto-XcodeGhost1",
"description": "Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:27.660Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Malicious Third Party Keyboard App",
"description": "A malicious app can register as a device keyboard and intercept keypresses containing sensitive values such as usernames and passwords. Zeltser (Citation: Zeltser-Keyboard) describes these risks.\n\nBoth iOS and Android require the user to explicitly authorize use of third party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1020",
"external_id": "MOB-T1020"
},
{
"source_name": "Zeltser-Keyboard",
"description": "Lenny Zeltser. (2016, July 30). Security of Third-Party Keyboard Apps on Mobile Devices. Retrieved December 21, 2016.",
"url": "https://zeltser.com/third-party-keyboards-security/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:06.822Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Malicious Web Content",
"description": "Content of a web page could be designed to exploit vulnerabilities in a web browser running on the mobile device.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "exploit-via-internet"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1059",
"external_id": "MOB-T1059"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html",
"external_id": "CEL-22"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:09.446Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Malicious or Vulnerable Built-in Device Functionality",
"description": "The mobile device could contain built-in functionality with malicious behavior or exploitable vulnerabilities. An adversary could deliberately insert and take advantage of the malicious behavior or could exploit inadvertent vulnerabilities. In many cases, it is difficult to be certain whether exploitable functionality is due to malicious intent or simply an inadvertent mistake.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "supply-chain"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1076",
"external_id": "MOB-T1076"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:07.460Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Manipulate App Store Rankings or Ratings",
"description": "An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "effects"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1055",
"external_id": "MOB-T1055"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:25.322Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Manipulate Device Communication",
"description": "If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to man-in-the-middle attacks (Citation: FireEye-SSL).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "general-network-based"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1066",
"external_id": "MOB-T1066"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html",
"external_id": "APP-1"
},
{
"source_name": "FireEye-SSL",
"description": "Adrian Mettler, Yulong Zhang, Vishwanath Raman. (2014, August 20). SSL VULNERABILITIES: WHO LISTENS WHEN ANDROID APPLICATIONS TALK?. Retrieved December 24, 2016.",
"url": "https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:12.913Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Microphone or Camera Recordings",
"description": "An adversary could use a malicious or exploited application to surreptitiously record activities using the device microphone and/or camera through use of standard operating system APIs.\n\nDetection: On both Android (6.0 and up) and iOS, the user can view which applications have permission to use the microphone or the camera through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1032",
"external_id": "MOB-T1032"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html",
"external_id": "APP-19"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:31.294Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Modify OS Kernel or Boot Partition",
"description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device kernel or other boot partition components, where the code may evade detection, may persist after device resets, and may not be removable by the device user. In some cases (e.g., the Samsung Knox warranty bit as described under Detection), the attack may be detected but could result in the device being placed in a state that no longer allows certain functionality.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes, but doing so introduces the potential ability for others to maliciously update the kernel or other boot partition code.\n\nIf the bootloader is not unlocked, it may still be possible to exploit device vulnerabilities to update the code.\n\nDetection: The Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices. Samsung KNOX also provides a remote attestation capability on supported Samsung Android devices.\n\nSamsung KNOX devices include a non-reversible Knox warranty bit fuse that is triggered \"if a non-Knox kernel has been loaded on the device\" (Citation: Samsung-KnoxWarrantyBit). If triggered, enterprise Knox container services will no longer be available on the device.\n\nAs described in the iOS Security Guide (Citation: Apple-iOSSecurityGuide), iOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.\n\nMany enterprise applications perform their own checks to detect and respond to compromised devices. These checks are not foolproof but can detect common signs of compromise.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "persistence"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1001",
"external_id": "MOB-T1001"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html",
"external_id": "APP-26"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html",
"external_id": "APP-27"
},
{
"source_name": "Samsung-KnoxWarrantyBit",
"description": "Samsung. (n.d.). What is a Knox Warranty Bit and how is it triggered?. Retrieved December 21, 2016.",
"url": "https://www2.samsungknox.com/en/faq/what-knox-warranty-bit-and-how-it-triggered"
},
{
"source_name": "Apple-iOSSecurityGuide",
"description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016.",
"url": "https://www.apple.com/business/docs/iOS%20Security%20Guide.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:30.890Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Modify System Partition",
"description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.\n\nDetection: Android devices with the Verified Boot capability (Citation: Android-VerifiedBoot) perform cryptographic checks of the integrity of the system partition.\n\nThe Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices.\n\nSamsung KNOX also provides a remote attestation capability on supported Samsung Android devices.\n\nAs described in the iOS Security Guide (Citation: Apple-iOSSecurityGuide), iOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "persistence"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1003",
"external_id": "MOB-T1003"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html",
"external_id": "APP-27"
},
{
"source_name": "Android-VerifiedBoot",
"description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.",
"url": "https://source.android.com/security/verifiedboot/"
},
{
"source_name": "Apple-iOSSecurityGuide",
"description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016.",
"url": "https://www.apple.com/business/docs/iOS%20Security%20Guide.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:18.583Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Modify Trusted Execution Environment",
"description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.\n\nThomas Roth describes the potential for placing a rootkit within the TrustZone secure world (Citation: Roth-Rootkits).\n\nDetection: Devices may perform cryptographic integrity checks of code running within the TEE at boot time.\n\nAs described in the iOS Security Guide (Citation: Apple-iOSSecurityGuide), iOS devices will fail to boot if the software running within the Secure Enclave does not pass signature verification.\n\nPlatforms: Android",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "persistence"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1002",
"external_id": "MOB-T1002"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html",
"external_id": "APP-27"
},
{
"source_name": "Roth-Rootkits",
"description": "Thomas Roth. (2013). Next generation mobile rootkits. Retrieved December 21, 2016.",
"url": "https://hackinparis.com/data/slides/2013/Slidesthomasroth.pdf"
},
{
"source_name": "Apple-iOSSecurityGuide",
"description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016.",
"url": "https://www.apple.com/business/docs/iOS%20Security%20Guide.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:29.092Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Modify cached executable code",
"description": "ART (the Android Runtime) compiles optimized code on the device itself to improve performance. If an adversary can escalate privileges, he or she may be able to use those privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.\n\nSabanal describes the potential use of this technique in (Citation: Sabanal-ART).\n\nPlatforms: Android",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "persistence"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1006",
"external_id": "MOB-T1006"
},
{
"source_name": "Sabanal-ART",
"description": "Paul Sabanal. (2015). Hiding Behind ART. Retrieved December 21, 2016.",
"url": "https://www.blackhat.com/docs/asia-15/materials/asia-15-Sabanal-Hiding-Behind-ART-wp.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:26.890Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Network Service Scanning",
"description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "discovery"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1026",
"external_id": "MOB-T1026"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:14.982Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Network Traffic Capture or Redirection",
"description": "An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.\n\nA malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.\n\nAlternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.\n\nAn adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device's proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.\n\nIf applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.\n\nDetection: On both Android and iOS the user must grant consent to an app to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is in place.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "collection"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1013",
"external_id": "MOB-T1013"
},
{
"source_name": "Skycure-Profiles",
"description": "Yair Amit. (2013, March 12). Malicious Profiles - The Sleeping Giant of iOS Security. Retrieved December 22, 2016.",
"url": "https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:32.328Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Obfuscated or Encrypted Payload",
"description": "An app could contain malicious code in obfuscated or encrypted form, then deobfuscate or decrypt the code at runtime to evade many app vetting techniques, as described in (Citation: Rastogi) (Citation: Zhou) (Citation: TrendMicro-Obad) (Citation: Xiao-iOS).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "defense-evasion"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1009",
"external_id": "MOB-T1009"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html",
"external_id": "APP-21"
},
{
"source_name": "Rastogi",
"description": "Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016.",
"url": "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf"
},
{
"source_name": "Zhou",
"description": "Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016.",
"url": "http://ieeexplore.ieee.org/document/6234407"
},
{
"source_name": "TrendMicro-Obad",
"description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/"
},
{
"source_name": "Xiao-iOS",
"description": "Claud Xiao. (2016, July). Fruit vs Zombies: Defeat Non-jailbroken iOS Malware. Retrieved December 9, 2016.",
"url": "http://www.slideshare.net/Shakacon/fruit-vs-zombies-defeat-nonjailbroken-ios-malware-by-claud-xiao"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:18.237Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Obtain Device Cloud Backups",
"description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB).\n\nDetection: Google provides the ability for users to view their account activity. Apple iCloud also provides notifications to users of account activity.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "cloud-based"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1073",
"external_id": "MOB-T1073"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-0.html",
"external_id": "ECO-0"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-1.html",
"external_id": "ECO-1"
},
{
"source_name": "Elcomsoft-EPPB",
"description": "Elcomsoft. (n.d.). Elcomsoft Phone Breaker. Retrieved December 29, 2016.",
"url": "https://www.elcomsoft.com/eppb.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:09.082Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Premium SMS Toll Fraud",
"description": "A malicious app could use standard Android APIs to send SMS messages. SMS messages could potentially be sent to premium numbers that charge the device owner and generate revenue for an adversary, for example as described by Lookout in (Citation: Lookout-SMS).\n\nOn iOS, apps cannot send SMS messages.\n\nOn Android, apps must hold the SEND_SMS permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).\n\nDetection: As described in Google's Android Security 2014 Year in Review Report (Citation: AndroidSecurity2014), starting with Android 4.2 the user is prompted and must provide consent before applications can send SMS messages to premium numbers.\n\nOn Android 6.0 and up, the user can view which applications have permission to send SMS messages through the device settings screen, and the user can choose to revoke the permissions.\n\nPlatforms: Android",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "effects"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1051",
"external_id": "MOB-T1051"
},
{
"source_name": "Lookout-SMS",
"description": "Ryan Sammy. (2013, August 2). 10 Organizations Build 60% of Russian Toll Fraud Malware. Retrieved December 22, 2016.",
"url": "https://blog.lookout.com/blog/2013/08/02/dragon-lady/"
},
{
"source_name": "AndroidSecurity2014",
"description": "Google. (2014). Android Security 2014 Year in Review. Retrieved December 12, 2016.",
"url": "https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google%20Android%20Security%202014%20Report%20Final.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:33.926Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Process Discovery",
"description": "On Android versions prior to 5, applications can observe information about other processes that are running through methods in the ActivityManager class. On Android versions prior to 7, applications can obtain this information by executing the ps command, or by examining the /proc directory. Starting in Android version 7, use of the Linux kernel's hidepid feature prevents applications (without escalated privileges) from accessing this information (Citation: Android-SELinuxChanges).\n\nPlatforms: Android",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "discovery"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1027",
"external_id": "MOB-T1027"
},
{
"source_name": "Android-SELinuxChanges",
"description": "Various. (2016, March 31). Overly restrictive SELinux filesystem permissions in Android N. Retrieved December 21, 2016.",
"url": "https://code.google.com/p/android/issues/detail?id=205565"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:34.830Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Remotely Install Application",
"description": "An adversary with control of a target's Google account can use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account as described in (Citation: Oberheide-RemoteInstall), (Citation: Konoth). However, only applications that are available for download through the Google Play Store can be remotely installed using this technique.\n\nDetection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted or known insecure or malicious apps on devices.\n\nPlatforms: Android",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "app-delivery-via-authorized-app-store"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1046",
"external_id": "MOB-T1046"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-4.html",
"external_id": "ECO-4"
},
{
"source_name": "Oberheide-RemoteInstall",
"description": "Jon Oberheide. (2010, June 25). Remote Kill and Install on Google Android. Retrieved December 12, 2016.",
"url": "https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/"
},
{
"source_name": "Konoth",
"description": "Radhesh Krishnan Konoth, Victor van der Veen, and Herbert Bos. (n.d.). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Retrieved December 12, 2016.",
"url": "http://www.vvdveen.com/publications/BAndroid.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:21.023Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Remotely Track Device Without Authorization",
"description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.\n\nDetection: Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "cloud-based"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1071",
"external_id": "MOB-T1071"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html",
"external_id": "ECO-5"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html",
"external_id": "EMM-7"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:07.827Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Remotely Wipe Data Without Authorization",
"description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an EMM console could use that access to wipe enrolled devices (Citation: Honan-Hacking).\n\nDetection: Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "cloud-based"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1072",
"external_id": "MOB-T1072"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html",
"external_id": "ECO-5"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html",
"external_id": "EMM-7"
},
{
"source_name": "Honan-Hacking",
"description": "Mat Honan. (2012, August 6). How Apple and Amazon Security Flaws Led to My Epic Hacking. Retrieved December 29, 2016.",
"url": "https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:35.247Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Repackaged Application",
"description": "An adversary could download a legitimate app, disassemble it, add malicious code, and then reassemble the app, for example as described by (Citation: Zhou) and Jiang in (Citation: Zhou). The app would appear to be the original app but contain additional malicious functionality. The adversary could then publish this app to app stores or use another delivery technique.\n\nDetection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "app-delivery-via-authorized-app-store"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "app-delivery-via-other-means"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1047",
"external_id": "MOB-T1047"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html",
"external_id": "APP-14"
},
{
"source_name": "Zhou",
"description": "Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016.",
"url": "http://ieeexplore.ieee.org/document/6234407"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:22.296Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Rogue Cellular Base Station",
"description": "An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. For example, Ritter and DePerry of iSEC Partners demonstrated this technique using a compromised cellular femtocell at Black Hat USA 2013 (Citation: Computerworld-Femtocell).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "cellular-network-based"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1070",
"external_id": "MOB-T1070"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html",
"external_id": "CEL-7"
},
{
"source_name": "Computerworld-Femtocell",
"description": "Jaikumar Vijayan. (2013, August 1). Researchers exploit cellular tech flaws to intercept phone calls. Retrieved December 24, 2016.",
"url": "http://www.computerworld.com/article/2484538/cybercrime-hacking/researchers-exploit-cellular-tech-flaws-to-intercept-phone-calls.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:21.354Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Rogue Wi-Fi Access Points",
"description": "An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication as described in NIST SP 800-153 (Citation: NIST-SP800153). \n\nFor example, Kaspersky describes a threat actor they call DarkHotel that targeted hotel Wi-Fi networks, using them to compromise computers belonging to business executives (Citation: Kaspersky-DarkHotel).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "general-network-based"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1068",
"external_id": "MOB-T1068"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-0.html",
"external_id": "LPN-0"
},
{
"source_name": "NIST-SP800153",
"description": "M. Souppaya and K. Scarfone. (2012, February). NIST SP 800-153 Guidelines for Securing Wireless Local Area Networks (WLANs). Retrieved December 24, 2016.",
"url": "http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-153.pdf"
},
{
"source_name": "Kaspersky-DarkHotel",
"description": "Alex Drozhzhin. (2014, November 10). Darkhotel: a spy campaign in luxury Asian hotels. Retrieved December 24, 2016.",
"url": "https://blog.kaspersky.com/darkhotel-apt/6613/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:20.329Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "SIM Card Swap",
"description": "An adversary could convince the mobile network operator (e.g. through social networking or forged identification) to issue a new SIM card and associate it with an existing phone number and account (Citation: NYGov-Simswap). The adversary could then obtain SMS messages or hijack phone calls intended for someone else (Citation: Betanews-Simswap). One use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts (Citation: Guardian-Simswap).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "cellular-network-based"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1054",
"external_id": "MOB-T1054"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-22.html",
"external_id": "STA-22"
},
{
"source_name": "NYGov-Simswap",
"description": "New York Department of State. (2016, February 12). AT&T SIM-Card Switch Scam. Retrieved August 23, 2016.",
"url": "http://www.dos.ny.gov/consumerprotection/scams/att-sim.html"
},
{
"source_name": "Betanews-Simswap",
"description": "Alex Cambell. (2016, February 12). Everything you need to know about SIM swap scams. Retrieved December 12, 2016.",
"url": "http://betanews.com/2016/02/12/everything-you-need-to-know-about-sim-swap-scams/"
},
{
"source_name": "Guardian-Simswap",
"description": "Miles Brignall. (2016, April 16). Sim-swap fraud claims another mobile banking victim. Retrieved December 12, 2016.",
"url": "https://www.theguardian.com/money/2016/apr/16/sim-swap-fraud-mobile-banking-fraudsters"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:33.158Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Standard Application Layer Protocol",
"description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic.\n\nIn the mobile environment, the Google Cloud Messaging (GCM; two-way) and Apple Push Notification Service (APNS; one-way server-to-device) are commonly used protocols on Android and iOS respectively that would blend in with routine device traffic and are difficult for enterprises to inspect. As described by Kaspersky (Citation: Kaspersky-MobileMalware), Google responds to reports of abuse by blocking access to GCM.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "command-and-control"
},
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "exfiltration"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1040",
"external_id": "MOB-T1040"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html",
"external_id": "APP-29"
},
{
"source_name": "Kaspersky-MobileMalware",
"description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.",
"url": "https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:05.928Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Stolen Developer Credentials or Signing Keys",
"description": "An adversary could steal developer account credentials on an app store and/or signing keys to publish malicious updates to existing Android or iOS apps, or to abuse the developer's identity and reputation to publish new malicious applications. For example, Infoworld describes this technique and suggests mitigations in (Citation: Infoworld-Appstore).\n\nDetection: Developers can regularly scan (or have a third party scan on their behalf) the app stores for presence of unauthorized apps that were submitted using the developer's identity.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "app-delivery-via-authorized-app-store"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1044",
"external_id": "MOB-T1044"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.html",
"external_id": "ECO-16"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-17.html",
"external_id": "ECO-17"
},
{
"source_name": "Infoworld-Appstore",
"description": "Galen Gruman. (2014, December 5). Keep out hijackers: Secure your app store dev account. Retrieved December 22, 2016.",
"url": "http://www.infoworld.com/article/2854963/mobile-development/how-to-keep-your-app-store-dev-account-from-being-hijacked.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Pre-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:19.265Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "System Information Discovery",
"description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, and architecture.\n\nOn Android, much of this information is programmatically accessible to applications through the android.os.Build class (Citation: Android-Build).\n\nOn iOS, techniques exist for applications to programmatically access this information, for example as described in (Citation: StackOverflow-iOSVersion).\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "discovery"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1029",
"external_id": "MOB-T1029"
},
{
"source_name": "Android-Build",
"description": "Android. (n.d.). Build. Retrieved December 21, 2016.",
"url": "https://zeltser.com/third-party-keyboards-security/"
},
{
"source_name": "StackOverflow-iOSVersion",
"description": "Stack Overflow. (n.d.). How can we programmatically detect which iOS version is device running on?. Retrieved December 21, 2016.",
"url": "http://stackoverflow.com/questions/7848766/how-can-we-programmatically-detect-which-ios-version-is-device-running-on"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:17.533Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "URL Scheme Hijacking",
"description": "An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application. This technique, for example, could be used to capture OAuth authorization codes as described in (Citation: IETF-PKCE) or to phish user credentials as described in (Citation: MobileIron-XARA). Related potential security implications are described in (Citation: Dhanjani-URLScheme). FireEye researchers describe URL scheme hijacking in a blog post (Citation: FireEye-Masque2), including evidence of its use.\n\nPlatforms: iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1018",
"external_id": "MOB-T1018"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html",
"external_id": "AUT-10"
},
{
"source_name": "IETF-PKCE",
"description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.",
"url": "https://tools.ietf.org/html/rfc7636"
},
{
"source_name": "MobileIron-XARA",
"description": "Michael T. Raggo. (2015, October 1). iOS URL Scheme Hijacking (XARA) Attack Analysis and Countermeasures. Retrieved December 21, 2016.",
"url": "https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures"
},
{
"source_name": "Dhanjani-URLScheme",
"description": "Nitesh Dhanjani. (2010, November 8). Insecure Handling of URL Schemes in Apple\u2019s iOS. Retrieved December 21, 2016.",
"url": "http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html"
},
{
"source_name": "FireEye-Masque2",
"description": "Hui Xue, Tao Wei, Yulong Zhang, Song Jin, Zhaofeng Chen. (2015, February 19). IOS MASQUE ATTACK REVIVED: BYPASSING PROMPT FOR TRUST AND APP URL SCHEME HIJACKING. Retrieved December 21, 2016.",
"url": "https://www.fireeye.com/blog/threat-research/2015/02/ios%20masque%20attackre.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:34.407Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "User Interface Spoofing",
"description": "At least three methods exist to perform User Interface Spoofing:\n\nFirst, on both Android and iOS, an adversary could impersonate the user interface of a legitimate app or device function to trick a user into entering account credentials. \n\nSecond, on both Android and iOS, a malicious app could impersonate the identity of another app in order to trick users into installing and using it.\n\nThird, on older versions of Android, a malicious app could abuse mobile operating system features to interfere with a running legitimate app as described in (Citation: Felt-PhishingOnMobileDevices) and (Citation: Hassell-ExploitingAndroid). However, this technique appears to have been addressed starting in Android 5.0 with the deprecation of the Android's ActivityManager.getRunningTasks method and modification of its behavior (Citation: Android-getRunningTasks) and further addressed in Android 5.1.1 (Citation: StackOverflow-getRunningAppProcesses) to prevent a malicious app from determining what app is currently in the foreground.\n\nPlatforms: Android, iOS",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "credential-access"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1014",
"external_id": "MOB-T1014"
},
{
"source_name": "NIST Mobile Threat Catalogue",
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html",
"external_id": "APP-31"
},
{
"source_name": "Felt-PhishingOnMobileDevices",
"description": "A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016.",
"url": "http://w2spconf.com/2011/papers/felt-mobilephishing.pdf"
},
{
"source_name": "Hassell-ExploitingAndroid",
"description": "R. Hassell. (2011, October 12-13). Exploiting Androids for Fun and Profit. Retrieved August 25, 2016.",
"url": "http://conference.hitb.org/hitbsecconf2011kul/materials/D1T1"
},
{
"source_name": "Android-getRunningTasks",
"description": "Android. (n.d.). ActivityManager getRunningTasks documentation. Retrieved January 19, 2017.",
"url": "https://developer.android.com/reference/android/app/ActivityManager.html#getRunningTasks%28int%29"
},
{
"source_name": "StackOverflow-getRunningAppProcesses",
"description": "Various. (n.d.). Android 5.1.1 and above - getRunningAppProcesses() returns my application package only. Retrieved January 19, 2017.",
"url": "http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packag"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android",
"iOS"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:31.694Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Wipe Device Data",
"description": "A malicious application could abuse Android device administrator access to wipe device contents, for example if a ransom is not paid.\n\nPlatforms: Android",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-mobile-attack",
"phase_name": "effects"
}
],
"external_references": [
{
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/mobile/index.php/Technique/MOB-T1050",
"external_id": "MOB-T1050"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_platforms": [
"Android"
],
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "intrusion-set",
"id": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31T21:31:48.664Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "APT28",
"description": "APT28 is a threat group that has been attributed to the Russian government. (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28) January 2017 (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee in April 2016. (Citation: Crowdstrike DNC June 2016)",
"aliases": [
"APT28",
"Sednit",
"Sofacy",
"Pawn Storm",
"Fancy Bear",
"STRONTIUM",
"Tsar Team",
"Threat Group-4127",
"TG-4127"
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/wiki/Group/G0007",
"external_id": "G0007"
},
{
"source_name": "Crowdstrike DNC June 2016",
"description": "Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.",
"url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
},
{
"source_name": "FireEye APT28",
"description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.",
"url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf"
},
{
"source_name": "GRIZZLY STEPPE JAR",
"description": "Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE \u2013 Russian Malicious Cyber Activity. Retrieved January 11, 2017."
},
{
"source_name": "SecureWorks TG-4127",
"description": "SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.",
"url": "https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:47.965Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "ANDROIDOS_ANSERVER.A",
"description": "ANDROIDOS_ANSERVER.A is Android malware novel for using encrypted content within a blog site for command and control (Citation: TrendMicro-Anserver).\n\nAliases: ANDROIDOS_ANSERVER.A",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0026",
"external_id": "MOB-S0026"
},
{
"source_name": "TrendMicro-Anserver",
"description": "Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"ANDROIDOS_ANSERVER.A"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:47.038Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Adups",
"description": "Adups, software pre-installed onto Android devices including those made by BLU Products, reportedly transmitted sensitive data to a Chinese server. The capability was reportedly designed \"to help a Chinese phone manufacturer monitor user behavior\" and \"was not intended for American phones\". (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor).\n\nAliases: Adups",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0025",
"external_id": "MOB-S0025"
},
{
"source_name": "NYTimes-BackDoor",
"description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.",
"url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"
},
{
"source_name": "BankInfoSecurity-BackDoor",
"description": "Jeremy Kirk. (2016, November 16). Why Did Chinese Spyware Linger in U.S. Phones?. Retrieved February 6, 2017.",
"url": "http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Adups"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:47.363Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "AndroRAT",
"description": "AndroRAT \"allows a third party to control the device and collect information such as contacts, call logs, text messages, device location, and audio from the microphone. It is now used maliciously by other actors.\" (Citation: Lookout-EnterpriseApps)\n\nAliases: AndroRAT",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0008",
"external_id": "MOB-S0008"
},
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"AndroRAT"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:45.482Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Android/Chuli.A",
"description": "As reported by Kaspersky (Citation: Kaspersky-WUC), a spear phishing message was sent to activist groups containing a malicious Android application as an attachment.\n\nAliases: Android/Chuli.A",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0020",
"external_id": "MOB-S0020"
},
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/blog/incidents/35552/android-trojan-found-in-targeted-attack-58/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Android/Chuli.A"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--b6d3657a-2d6a-400f-8b7e-4d60391aa1f7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:39.945Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "AndroidOverlayMalware",
"description": "Android malware analyzed by FireEye (Citation: FireEye-AndroidOverlay).\nAccording to their analysis, \"three campaigns in Europe used view overlay techniques...to present nearly identical credential input UIs as seen in benign apps, subsequently tricking unwary users into providing their banking credentials.\"\n\nAliases: AndroidOverlayMalware",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0012",
"external_id": "MOB-S0012"
},
{
"source_name": "FireEye-AndroidOverlay",
"description": "Wu Zhou et al. (2016, June 28). THE LATEST ANDROID OVERLAY MALWARE SPREADING VIA SMS PHISHING IN EUROPE. Retrieved December 21, 2016.",
"url": "https://www.fireeye.com/blog/threat-research/2016/06/latest-android-overlay-malware-spreading-in-europe.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"AndroidOverlayMalware"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:47.674Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "BrainTest",
"description": "Brain Test is a family of Android malware described by CheckPoint (Citation: CheckPoint-BrainTest) and Lookout (Citation: Lookout-BrainTest).\n\nAliases: BrainTest",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0009",
"external_id": "MOB-S0009"
},
{
"source_name": "CheckPoint-BrainTest",
"description": "Andrey Polkovnichenko and Alon Boxiner. (2015, September 21). BrainTest \u2013 A New Level of Sophistication in Mobile Malware. Retrieved December 21, 2016.",
"url": "http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/"
},
{
"source_name": "Lookout-BrainTest",
"description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"BrainTest"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--d1c600f8-0fb6-4367-921b-85b71947d950",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:39.631Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Charger",
"description": "The Charger Android malware steals \"steals contacts and SMS messages from the user's device\". It also \"asks for admin permissions\" and \"[i]f granted, the ransomware locks the device and displays a message demanding payment\". (Citation: CheckPoint-Charger)\n\nAliases: Charger",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0039",
"external_id": "MOB-S0039"
},
{
"source_name": "CheckPoint-Charger",
"description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.",
"url": "http://blog.checkpoint.com/2017/01/24/charger-malware/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Charger"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:37.438Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Dendroid",
"description": "Android malware family analyzed by Lookout (Citation: Lookout-Dendroid).\n\nAliases: Dendroid",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0017",
"external_id": "MOB-S0017"
},
{
"source_name": "Lookout-Dendroid",
"description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.",
"url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Dendroid"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:37.856Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "DressCode",
"description": "Android malware family analyzed by Trend Micro (Citation: TrendMicro-DressCode)\n\nAliases: DressCode",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0016",
"external_id": "MOB-S0016"
},
{
"source_name": "TrendMicro-DressCode",
"description": "Echo Duan. (2016, September 29). DressCode and its Potential Impact for Enterprises. Retrieved December 22, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"DressCode"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:40.571Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "DroidJack RAT",
"description": "Android remote access trojan (RAT) that has been observed to pose as legitimate applications including the Super Mario Run (Citation: Zscaler-SuperMarioRun) and Pokemon GO games (Citation: Proofpoint-Droidjack).\n\nAliases: DroidJack RAT",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0036",
"external_id": "MOB-S0036"
},
{
"source_name": "Zscaler-SuperMarioRun",
"description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.",
"url": "https://www.zscaler.com/blogs/research/super-mario-run-malware-2-\u2013-droidjack-rat"
},
{
"source_name": "Proofpoint-Droidjack",
"description": "Proofpoint. (2016, July 7). DroidJack Uses Side-Load\u2026It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017.",
"url": "https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"DroidJack RAT"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:41.721Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "DualToy",
"description": "DualToy is Windows malware that installs malicious applications onto Android and iOS devices connected over USB (Citation: PaloAlto-DualToy).\n\nAliases: DualToy",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0031",
"external_id": "MOB-S0031"
},
{
"source_name": "PaloAlto-DualToy",
"description": "[ Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"DualToy"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--20d56cd6-8dff-4871-9889-d32d254816de",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:43.242Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Gooligan",
"description": "The (Citation: Gooligan) malware family, revealed by Check Point, runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal \"authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.\" (Citation: Gooligan)\n\nGoogle (Citation: Ludwig-GhostPush) and LookoutLookout- (Citation: Gooligan) describe (Citation: Gooligan) as part of the Ghost Push Android malware family.\n\nAliases: (Citation: Gooligan)",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0006",
"external_id": "MOB-S0006"
},
{
"source_name": "Gooligan",
"description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.",
"url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/"
},
{
"source_name": "Ludwig-GhostPush",
"description": "Adrian Ludwig. (2016, November 29). The fight against Ghost Push continues. Retrieved December 12, 2016.",
"url": "https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Gooligan"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--c8770c81-c29f-40d2-a140-38544206b2b4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:42.948Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "HummingBad",
"description": "HummingBad is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android (Citation: ArsTechnica-HummingBad).\n\nAliases: HummingBad",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0038",
"external_id": "MOB-S0038"
},
{
"source_name": "ArsTechnica-HummingBad",
"description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.",
"url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"HummingBad"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:40.259Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "HummingWhale",
"description": "The HummingWhale Android malware family \"includes new virtual machine techniques that allow the malware to perform ad fraud better than ever\". (Citation: ArsTechnica-HummingWhale)\n\nAliases: HummingWhale",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0037",
"external_id": "MOB-S0037"
},
{
"source_name": "ArsTechnica-HummingWhale",
"description": "Dan Goodin. (2017, January 23). Virulent Android malware returns, gets >2 million downloads on Google Play. Retrieved January 24, 2017.",
"url": "http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"HummingWhale"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:43.815Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "KeyRaider",
"description": "On jailbroken iOS devices, (Citation: KeyRaider) steals Apple account credentials and other data. It \"also has built-in functionality to hold iOS devices for ransom.\" (Citation: KeyRaider)\n\nAliases: (Citation: KeyRaider)",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0004",
"external_id": "MOB-S0004"
},
{
"source_name": "KeyRaider",
"description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"KeyRaider"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:40.875Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "MazarBOT",
"description": "Android malware analyzed by Scandinavian security group CSIS as described in a Tripwire post (Citation: Tripwire-MazarBOT).\n\nAliases: MazarBOT",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0019",
"external_id": "MOB-S0019"
},
{
"source_name": "Tripwire-MazarBOT",
"description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.",
"url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"MazarBOT"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:36.707Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "NotCompatible",
"description": "Android malware family analyzed by Lookout (Citation: Lookout-NotCompatible)\n\nAliases: NotCompatible",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0015",
"external_id": "MOB-S0015"
},
{
"source_name": "Lookout-NotCompatible",
"description": "Tim Strazzere. (2014, November 19). The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks. Retrieved December 22, 2016.",
"url": "https://blog.lookout.com/blog/2014/11/19/notcompatible/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"NotCompatible"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:44.540Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "OBAD",
"description": "OBAD is a family of Android malware (Citation: TrendMicro-Obad).\n\nAliases: OBAD",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0002",
"external_id": "MOB-S0002"
},
{
"source_name": "TrendMicro-Obad",
"description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"OBAD"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--2074b2ad-612e-4758-adce-7901c1b49bbc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:45.155Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "OldBoot",
"description": "OldBoot is a family of Android malware described in a report from The Hacker News (Citation: HackerNews-OldBoot).\n\nAliases: OldBoot",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0001",
"external_id": "MOB-S0001"
},
{
"source_name": "HackerNews-OldBoot",
"description": "Sudhir K Bansal. (2014, January 28). First widely distributed Android bootkit Malware infects more than 350,000 Devices. Retrieved December 21, 2016.",
"url": "http://thehackernews.com/2014/01/first-widely-distributed-android.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"OldBoot"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--c709da93-20c3-4d17-ab68-48cba76b2137",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:43.527Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "PJApps",
"description": "According to Lookout (Citation: Lookout-EnterpriseApps), the PJApps Android malware family \"may collect and leak the victim\u2019s phone number, mobile device unique identifier (IMEI), and location. In order to make money, it may send messages to premium SMS numbers. PJApps also has the ability to download further applications to the device.\"\n\nAliases: PJApps",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0007",
"external_id": "MOB-S0007"
},
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"PJApps"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:44.238Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Pegasus",
"description": "Discovered by Lookout (Citation: Lookout-Pegasus) and Citizen Lab (Citation: PegasusCitizenLab), Pegasus escalates privileges on iOS devices and uses its privileged access to collect a variety of sensitive information.\n\nAliases: Pegasus",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0005",
"external_id": "MOB-S0005"
},
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
},
{
"source_name": "PegasusCitizenLab",
"description": "Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group\u2019s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.",
"url": "https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Pegasus"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:41.202Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Pegasus for Android",
"description": "Discovered and analyzed by Lookout (Citation: Lookout-PegasusAndroid) and Google (Citation: Google-Chrysaor), Pegasus for Android (also known as Chrysaor) is spyware that was used in targeted attacks. Pegasus for Android does not use zero day vulnerabilities. It attempts to escalate privileges using well-known vulnerabilities, and even if the attempts fail, it still performs some subset of spyware functions that do not require escalated privileges.\n\nAliases: Pegasus for Android, Chrysaor",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0032",
"external_id": "MOB-S0032"
},
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
},
{
"source_name": "Google-Chrysaor",
"description": "Rich Cannings et al.. (2017, April 3). An investigation of Chrysaor Malware on Android. Retrieved April 16, 2017.",
"url": "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Pegasus for Android",
"Chrysaor"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:38.274Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "RCSAndroid",
"description": " (Citation: RCSAndroid) (Citation: RCSAndroid) is Android malware allegedly distributed by Hacking Team.\n\nAliases: (Citation: RCSAndroid)",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0011",
"external_id": "MOB-S0011"
},
{
"source_name": "RCSAndroid",
"description": "Hacking Team (allegedly). (n.d.). RCSAndroid. Retrieved December 21, 2016.",
"url": "https://github.com/hackedteam/core-android/tree/master/RCSAndroid"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"RCSAndroid"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:48.917Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "RuMMS",
"description": "RuMMS is a family of Android malware (Citation: FireEye-RuMMS).\n\nAliases: RuMMS",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0029",
"external_id": "MOB-S0029"
},
{
"source_name": "FireEye-RuMMS",
"description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"RuMMS"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--c80a6bef-b3ce-44d0-b113-946e93124898",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:38.690Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Shedun",
"description": "Lookout states that some variants of the Shedun, Shuanet, and ShiftyBug/Kemoge Android malware families \"have 71 percent to 82 percent code similarity\" (Citation: Lookout-Adware), even though they \"don\u2019t believe these apps were all created by the same author or group\".\n\nAliases: Shedun, Shuanet, ShiftyBug, Kemoge",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0010",
"external_id": "MOB-S0010"
},
{
"source_name": "Lookout-Adware",
"description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Shedun",
"Shuanet",
"ShiftyBug",
"Kemoge"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:45.794Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "SpyNote RAT",
"description": "SpyNote RAT (Citation: Zscaler-SpyNote) (Remote Access Trojan) is a family of malicious Android apps. The \"SpyNote RAT builder\" tool can be used to develop malicious apps with the SpyNote RAT functionality.\n\nAliases: SpyNote RAT",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0021",
"external_id": "MOB-S0021"
},
{
"source_name": "Zscaler-SpyNote",
"description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.",
"url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"SpyNote RAT"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:46.411Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Trojan-SMS.AndroidOS.Agent.ao",
"description": "Android malware described by Kaspersky (Citation: Kaspersky-MobileMalware).\n\nAliases: Trojan-SMS.AndroidOS.Agent.ao",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0023",
"external_id": "MOB-S0023"
},
{
"source_name": "Kaspersky-MobileMalware",
"description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.",
"url": "https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Trojan-SMS.AndroidOS.Agent.ao"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--28e39395-91e7-4f02-b694-5e079c964da9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:46.107Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Trojan-SMS.AndroidOS.FakeInst.a",
"description": "Android malware described by Kaspersky (Citation: Kaspersky-MobileMalware).\n\nAliases: Trojan-SMS.AndroidOS.FakeInst.a",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0022",
"external_id": "MOB-S0022"
},
{
"source_name": "Kaspersky-MobileMalware",
"description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.",
"url": "https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Trojan-SMS.AndroidOS.FakeInst.a"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--d89c132d-7752-4c7f-9372-954a71522985",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:46.734Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Trojan-SMS.AndroidOS.OpFake.a",
"description": "Android malware described by Kaspersky (Citation: Kaspersky-MobileMalware).\n\nAliases: Trojan-SMS.AndroidOS.OpFake.a",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0024",
"external_id": "MOB-S0024"
},
{
"source_name": "Kaspersky-MobileMalware",
"description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.",
"url": "https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Trojan-SMS.AndroidOS.OpFake.a"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:42.313Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Twitoor",
"description": "Twitoor is a family of Android malware described by ESET (Citation: ESET-Twitoor).\n\nAliases: Twitoor",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0018",
"external_id": "MOB-S0018"
},
{
"source_name": "ESET-Twitoor",
"description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.",
"url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Twitoor"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:37.020Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "WireLurker",
"description": "WireLurker is a family of macOS malware that targets iOS devices connected over USB (Citation: PaloAlto-WireLurker).\n\nAliases: WireLurker",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0028",
"external_id": "MOB-S0028"
},
{
"source_name": "PaloAlto-WireLurker",
"description": "[ Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"WireLurker"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--56660521-6db4-4e5a-a927-464f22954b7c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:42.034Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "X-Agent",
"description": "The X-Agent Android malware was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data for where it was used and hence the potential location of Ukrainian artillery (Citation: CrowdStrike-Android).\n\nAliases: X-Agent",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0030",
"external_id": "MOB-S0030"
},
{
"source_name": "CrowdStrike-Android",
"description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.",
"url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"X-Agent"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "tool",
"id": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:48.609Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Xbot",
"description": "Xbot is a family of Android malware analyzed by Palo Alto Networks (Citation: PaloAlto-Xbot) that \"tries to steal victims' banking credentials and credit card information\", \"can also remotely lock infected Android devices, encrypt the user's files in external storage (e.g., SD card), and then ask for a U.S. $100 PayPal cash card as ransom\" and \"will steal all SMS message and contact information, intercept certain SMS messages, and parse SMS messages for mTANs (Mobile Transaction Authentication Number) from banks.\"\n\nAliases: Xbot",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0014",
"external_id": "MOB-S0014"
},
{
"source_name": "PaloAlto-Xbot",
"description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Xbot"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:42.661Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "XcodeGhost",
"description": "iOS malware analyzed by Palo Alto Networks (Citation: (Citation: PaloAlto-XcodeGhost)1) (Citation: PaloAlto-XcodeGhost)\n\nAliases: XcodeGhost",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0013",
"external_id": "MOB-S0013"
},
{
"source_name": "PaloAlto-XcodeGhost1",
"description": "Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/"
},
{
"source_name": "PaloAlto-XcodeGhost",
"description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"XcodeGhost"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:48.301Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "YiSpecter",
"description": "iOS malware that \"is different from previous seen iOS malware in that it attacks both jailbroken and non-jailbroken iOS devices\" and \"abuses private APIs in the iOS system to implement malicious functionalities\" (Citation: PaloAlto-YiSpecter).\n\nAliases: YiSpecter",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0027",
"external_id": "MOB-S0027"
},
{
"source_name": "PaloAlto-YiSpecter",
"description": "[ Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved January 20, 2017."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"YiSpecter"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:44.853Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "ZergHelper",
"description": "As described by Palo Alto Networks (Citation: ZergHelper), the (Citation: ZergHelper) app uses techniques to evade Apple's App Store review process for itself and uses techniques to install additional applications that are not in Apple's App Store.\n\nAliases: (Citation: ZergHelper)",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Software/MOB-S0003",
"external_id": "MOB-S0003"
},
{
"source_name": "ZergHelper",
"description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"ZergHelper"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true,
"x_mitre_version": "1.0"
},
{
"type": "course-of-action",
"id": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.732Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Application Developer Guidance",
"description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Mitigation/MOB-M1013",
"external_id": "MOB-M1013"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "course-of-action",
"id": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:51.942Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Application Vetting",
"description": "Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.\n\nEnterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.\n\nApplication Vetting is not a complete mitigation. Techniques such as Detect App Analysis Environment exist that can enable adversaries to bypass vetting.",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Mitigation/MOB-M1005",
"external_id": "MOB-M1005"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "course-of-action",
"id": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:52.933Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Attestation",
"description": "Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Mitigation/MOB-M1002",
"external_id": "MOB-M1002"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "course-of-action",
"id": "course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:51.365Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Caution with Device Administrator Access",
"description": "Warn device users not to accept requests to grant Device Administrator access to applications without good reason.\n\nAdditionally, application vetting should include a check on whether the application requests Device Administrator access. Applications that do request Device Administrator access should be carefully scrutinized and only allowed to be used if a valid reason exists.",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Mitigation/MOB-M1007",
"external_id": "MOB-M1007"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "course-of-action",
"id": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:52.601Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Deploy Compromised Device Detection Method",
"description": "A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Mitigation/MOB-M1010",
"external_id": "MOB-M1010"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "course-of-action",
"id": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:50.769Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Encrypt Network Traffic",
"description": "Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption.\n\niOS's App Transport Security feature can be used to help ensure that all application network traffic is appropriately protected. Apple intends to mandate use of App Transport Security (Citation: TechCrunch-ATS) for all apps in the Apple App Store unless appropriate justification is given.\n\nAndroid's Network Security Configuration feature similarly can be used by app developers to help ensure that all of their application network traffic is appropriately protected (Citation: Android-NetworkSecurityConfig).\n\nUse of Virtual Private Network (VPN) tunnels, e.g. using the IPsec protocol, can help mitigate some types of network attacks as well.",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Mitigation/MOB-M1009",
"external_id": "MOB-M1009"
},
{
"source_name": "TechCrunch-ATS",
"description": "Kate Conger. (2016, June 14). Apple will require HTTPS connections for iOS apps by the end of 2016. Retrieved December 19, 2016.",
"url": "https://techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-apps-by-the-end-of-2016/"
},
{
"source_name": "Android-NetworkSecurityConfig",
"description": "Google. (n.d.). Network Security Configuration. Retrieved December 19, 2016.",
"url": "https://developer.android.com/training/articles/security-config.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "course-of-action",
"id": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.318Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Enterprise Policy",
"description": "An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior.",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Mitigation/MOB-M1012",
"external_id": "MOB-M1012"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "course-of-action",
"id": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:50.181Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Interconnection Filtering",
"description": "In order to mitigate Signaling System 7 (SS7) exploitation, the Communications, Security, Reliability, and Interoperability Council (CSRIC) describes filtering interconnections between network operators to block inappropriate requests (Citation: CSRIC5-WG10-FinalReport).",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Mitigation/MOB-M1014",
"external_id": "MOB-M1014"
},
{
"source_name": "CSRIC5-WG10-FinalReport",
"description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.",
"url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "course-of-action",
"id": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:49.554Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Lock Bootloader",
"description": "On devices that provide the capability to unlock the bootloader (hence allowing any operating system code to be flashed onto the device), perform periodic checks to ensure that the bootloader is locked.",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Mitigation/MOB-M1003",
"external_id": "MOB-M1003"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "course-of-action",
"id": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:50.493Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Security Updates",
"description": "Install security updates in response to discovered vulnerabilities.\n\nPurchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.\n\nDecommission devices that will no longer receive security updates.\n\nLimit or block access to enterprise resources from devices that have not installed recent security updates.\n* On Android devices, access can be controlled based on each device's security patch level.\n* On iOS devices, access can be controlled based on the iOS version.",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Mitigation/MOB-M1001",
"external_id": "MOB-M1001"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "course-of-action",
"id": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:52.270Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "System Partition Integrity",
"description": "Ensure that Android devices being used include and enable the Verified Boot capability, which cryptographically ensures the integrity of the system partition.",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Mitigation/MOB-M1004",
"external_id": "MOB-M1004"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "course-of-action",
"id": "course-of-action--d2a199d2-dfea-4d0c-987d-6195ed17be9c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:51.053Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Use Device-Provided Credential Storage",
"description": "Application developers should use device-provided credential storage mechanisms such as Android's KeyStore or iOS's KeyChain. These can prevent credentials from being exposed to an adversary.",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Mitigation/MOB-M1008",
"external_id": "MOB-M1008"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "course-of-action",
"id": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:51.657Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "Use Recent OS Version",
"description": "New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Mitigation/MOB-M1006",
"external_id": "MOB-M1006"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "course-of-action",
"id": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:49.838Z",
"modified": "2018-01-17T12:56:55.080Z",
"name": "User Guidance",
"description": "Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.",
"external_references": [
{
"source_name": "mitre-attack-mobile",
"url": "https://attack.mitre.org/mobile/index.php/Mitigation/MOB-M1011",
"external_id": "MOB-M1011"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--55f12292-dc9d-4bfd-9de9-2d07cd67b044",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.734Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--077da2d7-0913-4040-b25e-2f6913ed4ea0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.734Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--4a697724-4457-436b-97ad-9d6f445fb6b0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.745Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--b2c289bf-e981-4bcd-87dd-b6c0680557e9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.745Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--3c2d7ccc-5980-4012-8aab-64979bcd0ea6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.745Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9",
"target_ref": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--49fe6eac-73a7-4147-9121-85fb71fca4ed",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.739Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--8e49feb1-e401-4e63-acfa-7f8b9a8ca026",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.739Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"target_ref": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--85328449-c231-444d-905a-2988c14d3e82",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.741Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--93a524e2-cb17-4b40-8640-a03949e89775",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.736Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--b28c1e81-4f78-4e40-9899-2872cdbcceba",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.736Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--69d6f3fc-17ea-4a32-b4dd-a006c75362d6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.736Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--e183af70-44d5-4d56-9aad-753eb4c1c964",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.736Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--c761ed82-24cc-4c40-94ef-c4d0f4d1cd7a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.739Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--9e83607e-2936-4f25-b6d2-c357846840f3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.739Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--b23ec81b-8610-4bb0-a837-2c316c67fa79",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.739Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--fab8c40d-b934-4ee0-8e83-f017af2e347a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.739Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1",
"target_ref": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--be2895e2-7e1d-4467-8b6a-ac06b17ce0bb",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.738Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--d2a199d2-dfea-4d0c-987d-6195ed17be9c",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--92333055-88ce-4db2-a589-e0e1e617d8e0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.738Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--3ebcd3d8-dd8e-4cc9-8087-ce9e93df6f56",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.738Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--7ec08d5c-73a1-4444-bd27-892090d6b2e3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.738Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--5b9a54cd-4925-4a2b-ad61-27d70e673093",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.746Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--8e94da58-86b7-4a45-886e-6da58828eacd",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.745Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--0673ca70-d403-4e49-8e18-de4bf8ab700c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.736Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"target_ref": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--bf859944-d097-45ba-ae01-2f85a00cad1f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.736Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--cdb1ed75-d8a5-4088-b282-0b85588bbc8c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.736Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"target_ref": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--b104c62f-771c-46c5-afc4-a964a94cea50",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.736Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--5b14149e-09f1-4d38-82bc-0ff3cff8b650",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.744Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--2388ba94-8e49-40d0-a697-eea948e6cfb6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.737Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--a0464539-e1b7-4455-a355-12495987c300",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--09fa9342-34cb-4f0d-8cdf-df4d51d0ae12",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.737Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--a0464539-e1b7-4455-a355-12495987c300",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--86696d32-0af7-4308-b1fe-52306b9f839a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.737Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--a0464539-e1b7-4455-a355-12495987c300",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--1a62c9c7-2d3b-4ee7-87d1-d8774050c566",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.743Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"target_ref": "attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--ba556d98-4ff2-43a4-bb93-52f99265ff99",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.741Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--a4b53160-fdb8-4cab-90cc-ad12ab13a8a0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.738Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--f6fa0801-418e-43e5-bfae-332e909624fc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.738Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--16f55053-285d-411d-881c-6f8c1bdef8d7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.739Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--05c87985-4f8a-4a38-b1cd-ab01f0a628ed",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.744Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--718949aa-6841-48d2-9343-f01be0aa32c1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.742Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"target_ref": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--64a6fb42-65ce-4160-a5c8-ac176f60a2ae",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.743Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--2f5da3a1-19da-421f-be48-cfdcd3c79be1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.743Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--fa7b38df-eedc-469b-bcec-facdd8365231",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.743Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--15a2702e-4e49-4255-909d-bbf94abfd1d7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.737Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--690111d3-c281-4d55-a7ed-73b8dab72a85",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.741Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"target_ref": "attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--94a737af-9a72-48f6-a85e-d9d7fa93bfdd",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.737Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--b5097495-f417-46ed-88e2-02cba2371936",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.744Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"target_ref": "attack-pattern--393e8c12-a416-4575-ba90-19cc85656796",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--c5b80ca7-eceb-43ea-991e-10af5d9ca4bc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.735Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--047ab474-c4ec-4675-a817-1e0a9f8dd92f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.734Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--ca7c3278-1d12-4e55-b320-39efa5a285db",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.734Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--96027d55-0bdb-4f5f-a559-66c93eab3a17",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.744Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--5f6f5913-cade-4b14-aa96-5a921b0927a7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.745Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--08e7c0ad-f2d7-472c-97de-3627ca5d2991",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.745Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--dc6eb5d7-acef-4eb4-bece-4e8c90c914dc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.733Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"target_ref": "attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--26a9db86-5ecf-400a-bdd9-419448c2f776",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.733Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124",
"target_ref": "attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--6f8b3839-ea91-44d5-ba68-b9d1e6076c19",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.735Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124",
"target_ref": "attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--6d8ea31a-da35-442a-8e0d-1d0c0dcdf14b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.741Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--a01af4da-0910-4a20-805f-86b3ae1dc046",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.742Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--51186ad6-e721-49cf-9cf7-89466d5f29f4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.742Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--00b20e5c-5f52-4a07-bfec-e30872e793e3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.742Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--3230c032-17e0-49f7-b948-c157049aafe2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.742Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58",
"target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--abd2e863-4bd3-4686-b2aa-f8a097a41c99",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.742Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.742Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--95f4db59-e0b4-4c1b-b888-1fc76b21e8c0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.742Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--a834341f-d909-41e3-adaf-5f3450e4090e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.744Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--7260c8fe-6b3b-48a2-889f-f329fb5b4ef0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.741Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--31942635-81b1-4657-8882-50fb97fae64b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.740Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--c2437c8b-709f-47e8-ae65-21ae48410a9e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.745Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--554ec347-c8b2-43da-876b-36608dcc543d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.746Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--513c05e2-afc6-4d1b-8a8e-6d6935a8626f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.747Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--de1b1f92-c060-4d8c-81bf-465b7fb21be4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.747Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--d22dc053-24a7-4a5b-ae51-8a626569ec9b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.737Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--bebf345c-21d5-410f-9015-90c144161e5d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.739Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--4d2d892c-9d3a-445c-b9bf-1eab45703dcc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.740Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--6bb99599-aa51-4492-9c79-296a772233b4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.740Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9",
"target_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--1ed76ca9-0ed6-40f9-89c6-64662fdd447d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.740Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433",
"target_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--6eca2456-fdcf-42e9-bcbb-a4c51ce54139",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.743Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--37c4a0cf-0552-46fd-b067-419b15833044",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.743Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--3a9467d4-09df-4266-ba5a-d40309949e70",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.740Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--176ba064-0657-4850-baa3-626bc845efd3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.740Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--69bdeed3-d6a8-4d10-8bf5-44c6cb4392e5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.734Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--a912f528-5218-4e0b-a350-7e9012cccdf3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.734Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--9adde9d7-4ba0-4e35-93ba-1e85e9eb16bc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.743Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"target_ref": "attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--903660e1-3996-4ed2-9e7a-4f8c397a71eb",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.744Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--7b899be0-4a9c-4e52-aeab-d8acedfe26d0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.744Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--d98a030f-c551-4fd0-9948-32e1ea01f79c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.733Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--3f3d63f0-1f03-4931-9624-10eaf4b207b4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.733Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--1a493cb6-452f-46ce-a7b4-267eacd5d2ff",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.735Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--3baf01c5-591b-43a0-8963-506531313e68",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.735Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--aa23a2c6-ed8a-4453-95d1-f9a47e14b0f9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.735Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--6f1cadef-283b-466b-bfa2-0cb51edf88f7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.743Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--74155759-4c76-42d3-b64f-a898f7b582f9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.743Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"target_ref": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--50986206-ad56-4dea-baed-846545fb2f5a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.737Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--4cf9511e-da0e-4055-bc8c-56121ae120d2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.746Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--ce6c7f21-91a5-4d63-bd03-a6b57e025afe",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.746Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58",
"target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--49f0f7b8-7208-4650-89c2-5d6b1f166113",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.746Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c",
"target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--ef7f8f51-6aea-4f5c-9c96-f353a14cf062",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.745Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--0977107c-9dd3-4cc5-b769-7e29da9f4bb6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.746Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--aa39b402-7ecc-4057-a989-663887e540e7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.746Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--62480750-2218-4ea0-b168-b9035b9ee998",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.740Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--72d7fa07-e559-4e35-b791-64b7bf8a0aef",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.744Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--ebdb9385-6311-4532-b021-2da48734aab7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.744Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--8aa790cc-0d42-4114-8cbe-783abc595b8b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.737Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"target_ref": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--ee0afd88-a0fc-4b1d-b047-9b9bf04d36fe",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.737Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"target_ref": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--6407562a-d297-43cd-95df-aec9cf501ce2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.738Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--8ccfab20-58cf-4af6-9fb0-6bbf59258ac9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.738Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--b4e055cf-f77e-4888-9610-6cd328e035c8",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.746Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--2bd272ca-8a14-42cd-9664-6cc6f7451e42",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.740Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--4caf3ad1-6ef8-42de-851d-bdc3a22977b3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.735Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--d6930d98-f8a2-4556-baa4-95275d3fa23d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.735Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--6c0491ee-53e0-44ae-bcd0-253fc47de61e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.747Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--024f9ee4-cb7d-49f4-b180-ad1e5e168a4c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.747Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--8f7c14bf-4c0f-4e54-99c2-41b511220b33",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.747Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--0818895a-0d6d-47cc-ad34-a09bdb76a81b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.741Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--69efe716-affe-419e-ac06-924d2e416695",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.734Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--634e2691-341f-4e5b-83e7-e28369d88c64",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.747Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--b2b31911-5b7e-4df3-89c6-00b5b372fb4f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.741Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"target_ref": "attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--4df969b3-f5a0-4802-b87e-a458e3e439ed",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.741Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"target_ref": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--cda9f3cf-01e4-41b3-8e45-4dda9fe5eb30",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.741Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"target_ref": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--aaf0ae2f-07ea-479e-8419-e524e23dbaef",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.733Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"target_ref": "attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--3a446bee-007b-4b1f-849e-60e9d39c2e92",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.739Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--095f71ad-9a93-45ce-9b77-a101f6c894de",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.747Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--dfc1f490-f8b9-4287-8c79-652d42f0a64a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.747Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--465ff71b-2b1b-43b6-ab78-afb273d956d2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.746Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9",
"target_ref": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--b1f2770e-11f0-429c-9bac-9fa5bc5859b0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-10-25T14:48:53.746Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"target_ref": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--3e3cad6c-dd73-43c9-bf99-d4796ba97fb1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"source_ref": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target_ref": "malware--56660521-6db4-4e5a-a927-464f22954b7c",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--f2e23cb7-7bac-4938-91ea-7dd42b41ba29",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "ANDROIDOS_ANSERVER.A uses encrypted content within a blog site for part of its command and control. Specifically, the encrypted content contains URLs for other servers to be used for other aspects of command and control.",
"source_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "TrendMicro-Anserver",
"description": "Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--d792bffd-6745-4da6-a70f-2d5843ef05ca",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Adups is pre-installed on Android devices from some vendors.",
"source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
"target_ref": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "NYTimes-BackDoor",
"description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.",
"url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"
},
{
"source_name": "BankInfoSecurity-BackDoor",
"description": "Jeremy Kirk. (2016, November 16). Why Did Chinese Spyware Linger in U.S. Phones?. Retrieved February 6, 2017.",
"url": "http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--18d3f4c7-2888-4d27-9ac7-b7ade1a1c04c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Adups reportedly \"transmitted the full contents of text messages\".",
"source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "NYTimes-BackDoor",
"description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.",
"url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--a8079e6a-ef87-4e3b-9f71-cf1ea2360892",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Adups reportedly transmitted contact lists.",
"source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "NYTimes-BackDoor",
"description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.",
"url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--e87aa0d6-241f-4f72-bdb6-54e8d5584ae2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Adups reportedly transmitted call logs.",
"source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "NYTimes-BackDoor",
"description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.",
"url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--8ed14c81-0b30-4bfc-8552-439aa0e920c3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Adups reportedly transmitted location information.",
"source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "NYTimes-BackDoor",
"description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.",
"url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--290a627d-172d-494d-a0cc-685f480a1034",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "AndroRAT collects call logs.",
"source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--980c49f8-d991-4e1f-8feb-6173e3dfca1f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "AndroRAT captures SMS messages.",
"source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--fa1da6db-da32-45d2-98a8-6bbe153166da",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "AndroRAT tracks the device location.",
"source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--b4180067-52b6-4109-91df-52fd9a7ed2e8",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "AndroRAT gathers \"audio from the microphone.\"",
"source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--aaf55dd1-33df-4f02-8025-eaae01f30b33",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "AndroRAT collects contact list information.",
"source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--fb371daf-2771-488f-90ca-5e08b9a36c5c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "The Android/Chuli.A malware was delivered via a spear phishing message sent to activist groups containing a malicious Android application as an attachment.",
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"target_ref": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/blog/incidents/35552/android-trojan-found-in-targeted-attack-58/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--cfa1d194-7401-46ba-bfed-5f311aeb22d3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "The Android/Chuli.A malicious application sent to activist groups stole contact list data \"stored both on the the phone and the SIM card\".",
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/blog/incidents/35552/android-trojan-found-in-targeted-attack-58/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--2bedbf86-2ef0-45bf-950d-b9d072c03bdc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "The Android/Chuli.A malicious application sent to activist groups stole call logs.",
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/blog/incidents/35552/android-trojan-found-in-targeted-attack-58/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--68e5789c-9f60-421e-9c79-fae207a29e83",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "The Android/Chuli.A malicious application sent to activist groups stole SMS message content.",
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/blog/incidents/35552/android-trojan-found-in-targeted-attack-58/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--9c7c302a-d5ba-4fc9-a4e5-e865fd7fb708",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "As reported by KasperskyAndroid/Chuli.A malicious application sent to activist groups stole geo-location data.",
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/blog/incidents/35552/android-trojan-found-in-targeted-attack-58/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--83991b5c-59b9-4fe5-9ef2-39c6ddc8b835",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "The Android/Chuli.A malicious application sent to activist groups gathered device data including \"phone number, OS version, phone model, and SDK version\".",
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"target_ref": "attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/blog/incidents/35552/android-trojan-found-in-targeted-attack-58/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--c83c84e8-a556-4efe-ae24-75970ee8ad4b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "The Android/Chuli.A malicious application sent to activist groups used SMS to receive command and control messages.",
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"target_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/blog/incidents/35552/android-trojan-found-in-targeted-attack-58/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--7c966cde-22fd-4eb2-b518-3e37a8fad88b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "The Android/Chuli.A malicious application sent to activist groups used uploads to an http URL as a command and control mechanism.",
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"target_ref": "attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/blog/incidents/35552/android-trojan-found-in-targeted-attack-58/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--3faed885-6a3d-444f-8e57-fd8818abb1cc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "AndroidOverlayMalware involved \"three campaigns in Europe\" that \"used view overlay techniques...to present nearly identical credential input UIs as seen in benign apps, subsequently tricking unwary users into providing their banking credentials.\"",
"source_ref": "malware--b6d3657a-2d6a-400f-8b7e-4d60391aa1f7",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "FireEye-AndroidOverlay",
"description": "Wu Zhou et al. (2016, June 28). THE LATEST ANDROID OVERLAY MALWARE SPREADING VIA SMS PHISHING IN EUROPE. Retrieved December 21, 2016.",
"url": "https://www.fireeye.com/blog/threat-research/2016/06/latest-android-overlay-malware-spreading-in-europe.html"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--f14af74f-fb6b-480f-91de-d755c89960ce",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "AndroidOverlayMalware was distributed by sending \"SMS messages with an embedded link that leads to the malware app.\"",
"source_ref": "malware--b6d3657a-2d6a-400f-8b7e-4d60391aa1f7",
"target_ref": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "FireEye-AndroidOverlay",
"description": "Wu Zhou et al. (2016, June 28). THE LATEST ANDROID OVERLAY MALWARE SPREADING VIA SMS PHISHING IN EUROPE. Retrieved December 21, 2016.",
"url": "https://www.fireeye.com/blog/threat-research/2016/06/latest-android-overlay-malware-spreading-in-europe.html"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--706c698c-aa8d-4fac-a6c1-2e047c3f965c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Original samples of BrainTest \"download their exploit packs for rooting from a remote server after installation.\"",
"source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-BrainTest",
"description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Original variants of BrainTest \"did have the ability to automatically root some devices, however, we did not observe that behavior in any of the 13 samples we recently discovered.\"",
"source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-BrainTest",
"description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--78cc0d6d-6347-45a4-a18c-ca76150aa7a9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "BrainTest stores a secondary Android app package (APK) in its assets directory in encrypted form, and decrypts the payload at runtime.",
"source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-BrainTest",
"description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--0e9edc13-7af7-43c4-8ec2-636b1f8cb7f1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "BrainTest uses root privileges if available to copy an additional Android app package (APK) to /system/priv-app to maintain persistence even after a factory reset.",
"source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-BrainTest",
"description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--6086e1e2-1b39-4ff2-910e-4a4eb86d57b7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "BrainTest \"provided capabilities that allowed the developers to post positive reviews on their own malicious applications using compromised devices, which may explain why every sample we observed had a rating higher than 4.0\" and \"used infected devices to download other malicious applications they had submitted to the Play Store, which would inflate the number of downloads each application received.\"",
"source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
"target_ref": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-BrainTest",
"description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--69bb264a-3f44-4132-9248-dd80a9f5efa2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Charger \"asks for admin permissions\" and \"[i]f granted, the ransomware locks the device and displays a message demanding payment\".",
"source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950",
"target_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "CheckPoint-Charger",
"description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.",
"url": "http://blog.checkpoint.com/2017/01/24/charger-malware/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--e2ee6825-43c2-441f-ba96-404a330a9059",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Charger \"steals contacts...from the user's device\".",
"source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "CheckPoint-Charger",
"description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.",
"url": "http://blog.checkpoint.com/2017/01/24/charger-malware/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--7e4be913-d916-4a79-ac00-262a49afe070",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Charger \"checks whether it is being run in an emulator before it starts its malicious activity\".",
"source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950",
"target_ref": "attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "CheckPoint-Charger",
"description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.",
"url": "http://blog.checkpoint.com/2017/01/24/charger-malware/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--bee6407a-1f05-4f91-b6e7-a8f8b58fa421",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Charger \"encodes strings into binary arrays, making it hard to inspect them\", and \"loads code from encrypted resources dynamically, which most detection engines cannot penetrate and inspect. The dynamically-loaded code is also flooded with meaningless commands that mask the actual commands passing through.\"",
"source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "CheckPoint-Charger",
"description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.",
"url": "http://blog.checkpoint.com/2017/01/24/charger-malware/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--85c7e956-3ce5-4495-b52e-385ae2ee4f9b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Charger \"checks the local settings of the device and does not run its malicious logic if the device is located in Ukraine, Russia, or Belarus. This is likely done to keep the developers from being prosecuted in their own countries or being extradited between countries.\"",
"source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "CheckPoint-Charger",
"description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.",
"url": "http://blog.checkpoint.com/2017/01/24/charger-malware/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--ed06f5dc-9d02-4896-a0a3-2f457c64f125",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Dendroid \"can take pictures using the phone\u2019s camera, record audio and video\".",
"source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Dendroid",
"description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.",
"url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--81db3270-4cb8-4982-8ff8-c28a874e8421",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "DressCode sets up a \"general purpose tunnel\" that can be used by an attacker to attack enterprise networks that the mobile device is connected to.",
"source_ref": "malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca",
"target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "TrendMicro-DressCode",
"description": "Echo Duan. (2016, September 29). DressCode and its Potential Impact for Enterprises. Retrieved December 22, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--5f82db63-d7c2-43c7-a056-3cf718201ced",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "DroidJack RAT included code from the legitimate Pokemon GO app in order to appear identical to the user, but it also included additional malicious code.",
"source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Proofpoint-Droidjack",
"description": "Proofpoint. (2016, July 7). DroidJack Uses Side-Load\u2026It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017.",
"url": "https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--910009da-65c0-4e6a-aeb2-386c643d1c0e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "DroidJack RAT captures \"SMS data\".",
"source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Zscaler-SuperMarioRun",
"description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.",
"url": "https://www.zscaler.com/blogs/research/super-mario-run-malware-2-\u2013-droidjack-rat"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--c65661a6-6047-4901-ac2c-3ca4b1bbbb28",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "DroidJack RAT captures \"call data\".",
"source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Zscaler-SuperMarioRun",
"description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.",
"url": "https://www.zscaler.com/blogs/research/super-mario-run-malware-2-\u2013-droidjack-rat"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--69de3f7e-faa7-4342-b755-4777a68fd89b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "DroidJack RAT performs \"call recording\" and \"video capturing\".",
"source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Zscaler-SuperMarioRun",
"description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.",
"url": "https://www.zscaler.com/blogs/research/super-mario-run-malware-2-\u2013-droidjack-rat"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--b7282bf9-63f8-49ad-8ee0-f2ad523a367e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "DualToy \"side loads malicious or risky apps to both Android and iOS devices via a USB connection\" and also collects the \"connected iOS device\u2019s information including IMEI, IMSI, ICCID, serial number and phone number\".",
"source_ref": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878",
"target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "PaloAlto-DualToy",
"description": "[ Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017."
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--aa8e45c2-4276-451b-b1eb-59c396bf720a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Gooligan executes Android root exploits.",
"source_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Gooligan",
"description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.",
"url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--a25d58af-dbb3-4025-b91d-898c6adffcb3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Gooligan steals \"authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.\"",
"source_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Gooligan",
"description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.",
"url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--42ae42eb-ea75-457a-bf39-4ea04304dd0b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Gooligan can \"[i]nstall adware to generate revenue\"",
"source_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de",
"target_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Gooligan",
"description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.",
"url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--ac523dfb-36be-4402-acf2-abe98e183eef",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "HummingBad (in July 2016) \"installs more than 50,000 fraudulent apps each day, displays 20 million malicious advertisements, and generates more than $300,000 per month in revenue.\"",
"source_ref": "malware--c8770c81-c29f-40d2-a140-38544206b2b4",
"target_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "ArsTechnica-HummingBad",
"description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.",
"url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--d87b468e-f610-4e95-8dfb-8cf029f0e891",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "HummingBad can \"silently root a large percentage of the phones it infects by exploiting vulnerabilities that remain unfixed in older versions of Android.\"",
"source_ref": "malware--c8770c81-c29f-40d2-a140-38544206b2b4",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "ArsTechnica-HummingBad",
"description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.",
"url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--f947d845-4d70-41f3-ae3c-18ea8b44e667",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "HummingBad can help create \"fraudulent statistics inside the official Google Play Store.\"",
"source_ref": "malware--c8770c81-c29f-40d2-a140-38544206b2b4",
"target_ref": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "ArsTechnica-HummingBad",
"description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.",
"url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--b263e4e9-972d-4ba7-8be8-e55eb6a483c0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "\"[T]he purpose of HummingWhale is to generate revenue by displaying fraudulent ads and automatically installing apps. When users try to close the ads, the new functionality causes already downloaded apps to run in a virtual machine. That creates a fake ID that allows the perpetrators to generate referral revenues.\"",
"source_ref": "malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f",
"target_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "ArsTechnica-HummingWhale",
"description": "Dan Goodin. (2017, January 23). Virulent Android malware returns, gets >2 million downloads on Google Play. Retrieved January 24, 2017.",
"url": "http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--9f737872-3503-4ef4-b575-ab6037b33a98",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "\"In addition to stealing Apple accounts to buy apps, KeyRaider also has built-in functionality to hold iOS devices for ransom.\"",
"source_ref": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50",
"target_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "KeyRaider",
"description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--b596251a-73db-4e53-a04d-51be783b0241",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "On jailbroken iOS devices, \"[m]ost KeyRaider samples hook SSLRead and SSLWrite functions in the itunesstored process\" to intercept device communication with the Apple App Store and search \"for specific patterns to find the Apple account's username, password and device's GUID in the data being transferred\".",
"source_ref": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50",
"target_ref": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "KeyRaider",
"description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--6fce6a21-ab9b-44a5-be20-9b631109487b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "MazarBOT is delivered via an unsolicited text message containing a link to a web download URI.",
"source_ref": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9",
"target_ref": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Tripwire-MazarBOT",
"description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.",
"url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--5a6df1dd-9aa4-4f67-9195-8c3a9f5c0f7a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "MazarBOT can \"send messages to premium-rate numbers\".",
"source_ref": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9",
"target_ref": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Tripwire-MazarBOT",
"description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.",
"url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--721cc30c-74cf-4eed-89a8-7a8e63e6c0e1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "MazarBOT can \"intercept two-factor authentication codes sent by online banking apps\".",
"source_ref": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Tripwire-MazarBOT",
"description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.",
"url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--ffc24804-42db-4be1-a418-7f5ab9de453c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "NotCompatible has the potential capability of exploiting systems on an enterprise network.",
"source_ref": "malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe",
"target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-NotCompatible",
"description": "Tim Strazzere. (2014, November 19). The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks. Retrieved December 22, 2016.",
"url": "https://blog.lookout.com/blog/2014/11/19/notcompatible/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--b67f04d9-1cbd-49b4-9ec3-a33a41ac42ab",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "The OBAD Android malware family contains encrypted code along with an obfuscated decryption routine to make it difficult to analyze.",
"source_ref": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--51757971-17ac-40c3-bae7-78365579db49",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "The OBAD Android malware family abuses device administrator access to make it more difficult for users to remove the application.",
"source_ref": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde",
"target_ref": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--373f33be-9b40-44f5-bfd3-db2a9f5fa72c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "OldBoot uses escalated privileges to modify the init script on the device's boot partition to maintain persistence.",
"source_ref": "malware--2074b2ad-612e-4758-adce-7901c1b49bbc",
"target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "HackerNews-OldBoot",
"description": "Sudhir K Bansal. (2014, January 28). First widely distributed Android bootkit Malware infects more than 350,000 Devices. Retrieved December 21, 2016.",
"url": "http://thehackernews.com/2014/01/first-widely-distributed-android.html"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--27247071-356b-4b5f-bc8f-6436a3fec095",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "PJApps \"may collect and leak the victim's...location.\"",
"source_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--4454a696-7619-40ee-971b-cbf646e4ee61",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "PJApps \"may send messages to premium SMS messages.\"",
"source_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137",
"target_ref": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--789cb76e-27b0-4762-a2f7-3ff32ce0762d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "PJApps \"may collect and leak the victim's phone number, mobile device unique identifier (IMEI)\".",
"source_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--450a1b75-efa5-4d7a-bcd5-d3e63723b408",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Pegasus \"monitors the current connection state and tracks which types of networks the phone is connected to, potentially in order to determine the bandwidth and ability to send full data across the network\".",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--4f2ae057-ef0b-4995-b24d-348a76a74a4f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Pegasus uses SMS for command and control.",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"target_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--b7652f27-1cf6-4310-bf6b-5fb99c4fd725",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Pegasus has the ability to record audio.",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--69718f1d-7761-41ae-b9d0-12c45f6b4ac4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Pegasus modifies the system partition to maintain persistence.",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--94040d2e-3f60-423c-8a93-a83b61cafe7d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Pegasus \"constantly updates and sends the location of the phone\".",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--63e67cba-4eae-4495-8897-2610103a0c41",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Pegasus exploits iOS vulnerabilities to escalate privileges.",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--7d481598-ece7-469c-b231-619a804c25e5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Pegasus captures \"SMS messages the victim sends or receives\".",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--34351abd-1f58-420a-a893-ad822839815d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Pegasus captures call logs.",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--7af7d094-3a49-4e5e-99d0-385c79f95f06",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "\"Pegasus...constantly monitors the phone for status and disables any other access to the phone by previous/other jailbreaking software.\"",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--7baa3cab-c4f8-4b91-a6c3-189ad7a6416c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Pegasus \"gathers contacts from the system, dumping the victim's entire address book.\"",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--a290a8ca-e650-456c-b33e-03343fe5ea4e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Pegasus accesses sensitive data in files, for example it \"saves any calls that Skype has previously recorded by reading them out of the Skype database files.\"",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--9e77b80d-4981-4908-9203-c4e7cea5b5d8",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Pegasus was delivered via an SMS message containing a link to a web site with malicious code.",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"target_ref": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "PegasusCitizenLab",
"description": "Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group\u2019s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.",
"url": "https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--638f3d4b-f1d4-4c61-91a0-7c125ef8437a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Pegasus was distributed through a web site and exploits vulnerabilities in the Safari web browser on iOS devices.",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--f6098dca-3a9e-4991-8d51-1310b12161b6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Pegasus for Android uses SMS for command and control.",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"target_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--db3fc82d-d353-438d-aa5e-9b5e7e60f0ac",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Pegasus for Android \"checks if the device is on Wi-Fi, a cellular network, and/or is roaming.\".",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--0cae6859-d7d1-483b-b473-4f32084938a9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Pegasus for Android has the ability to record audio and take pictures using the device camera.",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--d7ae7fb1-c363-4969-a4af-e2dd44a3c064",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Pegasus for Android attempts to modify the device's system partition.",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--3d24d88e-a0ab-42c6-8e8f-11f721082bba",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Pegasus for Android attempts to exploit well-known Android OS vulnerabilities to escalate privileges.",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--19df76ee-fa85-43cf-96ce-422d46f29a13",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Pegasus for Android listens for the BOOT_COMPLETED broadcast intent in order to maintain persistence and activate its functionality at device boot time.",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"target_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--3f973c3c-45f8-432a-9859-e8749f2e7418",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Pegasus for Android accesses sensitive data in files, such as messages stored by the WhatsApp, Facebook, and Twitter applications. It also has the ability to access arbitrary filenames and retrieve directory listings.",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--4f366c8c-9c70-44ed-baa8-d433d5dbfe49",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Pegasus for Android accesses call logs.",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--e84ad4b0-9f7a-48a5-89ae-33804b11eb56",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Pegasus for Android accesses contact list information.",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--f5fab17b-43e7-46ff-bdea-eb8c52a0c6c3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Pegasus for Android accesses the list of installed applications.",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--a7b276ac-6f07-4d1f-8d24-dc5682acf62d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Pegasus for Android accesses calendar entries.",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"target_ref": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--0e81eb1d-cd1e-43e1-8c09-03927681ce76",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Pegasus for Android attempts to detect whether it is running in an emulator rather than a real device.",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"target_ref": "attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--8d027310-93a0-4046-b7ad-d1f461f30838",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "RCSAndroid has the ability to dynamically download and execute new code at runtime.",
"source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "RCSAndroid",
"description": "Hacking Team (allegedly). (n.d.). RCSAndroid. Retrieved December 21, 2016.",
"url": "https://github.com/hackedteam/core-android/tree/master/RCSAndroid"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--9e3921a8-a9e1-48c4-9b61-ff190c104f63",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "RCSAndroid can \"[m]onitor clipboard content\".",
"source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "RCSAndroid",
"description": "Hacking Team (allegedly). (n.d.). RCSAndroid. Retrieved December 21, 2016.",
"url": "https://github.com/hackedteam/core-android/tree/master/RCSAndroid"
},
{
"source_name": "TrendMicro-RCSAndroid",
"description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--4088b31b-d542-4935-84b4-82b592159591",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "RCSAndroid can \"[c]ollect passwords for Wi-Fi networks and online accounts, including Skype, Facebook, Twitter, Google, WhatsApp, Mail, and LinkedIn\".",
"source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "RCSAndroid",
"description": "Hacking Team (allegedly). (n.d.). RCSAndroid. Retrieved December 21, 2016.",
"url": "https://github.com/hackedteam/core-android/tree/master/RCSAndroid"
},
{
"source_name": "TrendMicro-RCSAndroid",
"description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--14143e21-51bf-4fa7-a949-d22a8271f590",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "As described by Trend MicroRCSAndroid can \"[r]ecord using the microphone\" and can \"[c]apture photos using the front and back cameras\".",
"source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "RCSAndroid",
"description": "Hacking Team (allegedly). (n.d.). RCSAndroid. Retrieved December 21, 2016.",
"url": "https://github.com/hackedteam/core-android/tree/master/RCSAndroid"
},
{
"source_name": "TrendMicro-RCSAndroid",
"description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--2065382f-45ae-4b9a-a77c-027ecd6c1735",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "RCSAndroid can \"[c]ollect SMS, MMS, and Gmail messages\".",
"source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "RCSAndroid",
"description": "Hacking Team (allegedly). (n.d.). RCSAndroid. Retrieved December 21, 2016.",
"url": "https://github.com/hackedteam/core-android/tree/master/RCSAndroid"
},
{
"source_name": "TrendMicro-RCSAndroid",
"description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--da4296d7-5fdb-45b6-9791-b023d634c08d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "RCSAndroid can \"[r]ecord location\".",
"source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "RCSAndroid",
"description": "Hacking Team (allegedly). (n.d.). RCSAndroid. Retrieved December 21, 2016.",
"url": "https://github.com/hackedteam/core-android/tree/master/RCSAndroid"
},
{
"source_name": "TrendMicro-RCSAndroid",
"description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--8cb42e3d-69f4-4b0d-98c9-0bb7560947c1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "RCSAndroid can use SMS for command and control.",
"source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"target_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "RCSAndroid",
"description": "Hacking Team (allegedly). (n.d.). RCSAndroid. Retrieved December 21, 2016.",
"url": "https://github.com/hackedteam/core-android/tree/master/RCSAndroid"
},
{
"source_name": "TrendMicro-RCSAndroid",
"description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--e3a03a80-0e31-43ef-b802-d6f65c44896d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "RuMMS is delivered via a web link to an APK (Android application package). The link is sent via SMS.",
"source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
"target_ref": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "FireEye-RuMMS",
"description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--29dc105c-0b1b-4645-85ef-436c096bd3e2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "RuMMS uploads incoming SMS messages to a remote command and control server.",
"source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "FireEye-RuMMS",
"description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--4d7e937d-7ea1-49cb-939c-5244815e51d7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "RuMMS uses HTTP for command and control.",
"source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "FireEye-RuMMS",
"description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--bb3be217-08e2-4bb0-9f1a-d8e538010451",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "RuMMS gathers device model and operating system version information and transmits it to a command and control server.",
"source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "FireEye-RuMMS",
"description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--3c291ee5-1782-4e5b-8131-5188c7388f45",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "RuMMS gathers the device phone number and IMEI and transmits them to a command and control server.",
"source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "FireEye-RuMMS",
"description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--18afa4ad-4fd7-47ad-acdb-3b298b640d3c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Shedun \"embeds itself as a system application, and becomes nearly impossible to remove\".",
"source_ref": "malware--c80a6bef-b3ce-44d0-b113-946e93124898",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Adware",
"description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--f0851531-e554-4658-920c-f2342632c19a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Shedun \"uses publicly available exploits that perform the rooting function. ShiftyBug, for example, comes packed with at least eight of them in an effort to enable itself to root as many device as possible.\".",
"source_ref": "malware--c80a6bef-b3ce-44d0-b113-946e93124898",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Adware",
"description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--ebc0aa93-93ac-4b7e-ad87-9d5743a09c8e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "\"Malicious actors behind\" Shedun \"repackage and inject malicious code into thousands of popular applications found in Google Play, and then later publish them to third-party app stores. Indeed, we believe many of these apps are actually fully-functional, providing their usual services, in addition to the malicious code that roots the device.\"",
"source_ref": "malware--c80a6bef-b3ce-44d0-b113-946e93124898",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Lookout-Adware",
"description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--bf2ea132-c8f3-4ea0-8c4c-bdc95923c3b1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "SpyNote RAT can activate \"the device's microphone\" and listen \"to live conversations\".",
"source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Zscaler-SpyNote",
"description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.",
"url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--bc4e848a-adb7-40a2-94a1-d5ab9854ff0f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "SpyNote RAT can copy \"files from the device to a Command & Control (C&C) center\".",
"source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Zscaler-SpyNote",
"description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.",
"url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--5012c647-9b58-4a4f-b64f-468c9b76a60c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "SpyNote RAT can view contacts.",
"source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Zscaler-SpyNote",
"description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.",
"url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--e0ebf0cd-9244-4cef-9171-128a12b87b58",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "SpyNote RAT can read SMS messages.",
"source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Zscaler-SpyNote",
"description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.",
"url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--0008005f-ca51-47c3-8369-55ee5de1c65a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "SpyNote RAT uses an Android broadcast receiver to automatically start when the device boots.",
"source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"target_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Zscaler-SpyNote",
"description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.",
"url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--0f7e7c29-43f0-4aff-ae83-dfff331915ef",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "SpyNote RAT collects the device's location.",
"source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Zscaler-SpyNote",
"description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.",
"url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--319d46b5-de41-4f23-9001-2fa75f954720",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Trojan-SMS.AndroidOS.Agent.ao uses Google Cloud Messaging (GCM) for command and control.",
"source_ref": "malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Kaspersky-MobileMalware",
"description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.",
"url": "https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--54151897-cc7e-4f92-af50-bed41ea78d92",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Trojan-SMS.AndroidOS.FakeInst.a uses Google Cloud Messaging (GCM) for command and control.",
"source_ref": "malware--28e39395-91e7-4f02-b694-5e079c964da9",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Kaspersky-MobileMalware",
"description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.",
"url": "https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--2cdd5474-620c-499e-8b9c-835505febc2c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Trojan-SMS.AndroidOS.OpFake.a uses Google Cloud Messaging (GCM) for command and control.",
"source_ref": "malware--d89c132d-7752-4c7f-9372-954a71522985",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "Kaspersky-MobileMalware",
"description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.",
"url": "https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--9d7ac1b2-3fa9-4236-b72d-5565f0c66eab",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Twitoor uses Twitter for command and control.",
"source_ref": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "ESET-Twitoor",
"description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.",
"url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--0791f28b-d06f-4fee-9cdb-85a6fd2eed61",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "\"WireLurker monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jailbroken.\"",
"source_ref": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb",
"target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "PaloAlto-WireLurker",
"description": "[ Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017."
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--b3bb33bf-9034-4d5c-8ea0-31d3bbd12b6b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "\"WireLurker exhibits complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing.\"",
"source_ref": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "PaloAlto-WireLurker",
"description": "[ Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017."
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--efcfe1a3-3351-4b4f-ae36-101f103b4798",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "X-Agent was placed in a repackaged version of an application used by Ukrainian artillery forces..",
"source_ref": "malware--56660521-6db4-4e5a-a927-464f22954b7c",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "CrowdStrike-Android",
"description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.",
"url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--9e66ec3b-cdd6-461c-bd84-e75316818e15",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "X-Agent was believed to have been used to obtain \"gross locational data\" of Ukrainian artillery forces.",
"source_ref": "malware--56660521-6db4-4e5a-a927-464f22954b7c",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "CrowdStrike-Android",
"description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.",
"url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--1cca5e17-80ae-4b6e-8919-2768153aa966",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Xbot uses \"phishing pages crafted to mimic Google Play's payment interface as well as the login pages of 7 different banks' apps\".",
"source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "PaloAlto-Xbot",
"description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--1218ed50-bd44-4f37-baba-1aae998b5a1f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Xbot \"can also remotely lock infected Android devices...and ask for a...cash card as ransom\".",
"source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4",
"target_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "PaloAlto-Xbot",
"description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--833b4c44-7370-4b27-b9b2-a058c27dcf8c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Xbot \"will steal all SMS message and contact information, intercept certain SMS messages, and parse SMS messages for mTANs (Mobile Transaction Authentication Number) from banks\".",
"source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "PaloAlto-Xbot",
"description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--70f8cbed-b20d-4ff2-ad02-8d78e7d49159",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "Xbot can \"encrypt the user's files in external storage (e.g., SD card), and then ask for a U.S. $100 PayPal cash card as ransom\".",
"source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4",
"target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "PaloAlto-Xbot",
"description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--13efc415-5e17-4a16-81c2-64e74815907f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "XcodeGhost can \"[p]rompt a fake alert dialog to phish user credentials.\"",
"source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "PaloAlto-XcodeGhost",
"description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--2de76a24-ec87-4808-b0d3-b84d318ac22c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "XcodeGhost can \"[r]ead and write data in the user\u2019s clipboard, which could be used to read the user\u2019s password if that password is copied from a password management tool.\"",
"source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9",
"target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "PaloAlto-XcodeGhost",
"description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--8e4b2305-1280-4456-8ec7-93c66da5c674",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "XcodeGhost was injected into apps by a modified version of Xcode (Apple's software development tool).",
"source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9",
"target_ref": "attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "PaloAlto-XcodeGhost1",
"description": "Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/"
},
{
"source_name": "PaloAlto-XcodeGhost",
"description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--c5d6fb25-1782-44c4-b3ae-0cd72e8a6d37",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "\"YiSpecter's malicious apps were signed with three iOS enterprise certificates issued by Apple so that they can be installed as enterprise apps on non-jailbroken iOS devices.\"",
"source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9",
"target_ref": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "PaloAlto-YiSpecter",
"description": "[ Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved January 20, 2017."
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--eb686f55-85de-42d8-a5a1-69a78af0f1f3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "ZergHelper \"appears to have gotten by Apple\u2019s app review process by performing different behaviors for users from different physical locations...For users outside of China, it would act as what it claimed: an English studying app. However, when accessing the app from China, its real features would appear.\" Presumably, Apple's app review occurred outside of China and the \"real features\" were not visible during the review.",
"source_ref": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0",
"target_ref": "attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "ZergHelper",
"description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--d54bdaff-8eb8-4a02-9f64-bc33c892e9d1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "ZergHelper tries \"to extend its capabilities via dynamic updating of its code, which could further bypass iOS security restrictions.\"",
"source_ref": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "ZergHelper",
"description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "relationship",
"id": "relationship--40581c90-e948-4e91-8530-a9bc59cce9d7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14T16:46:06.044Z",
"modified": "2018-01-17T12:56:55.080Z",
"relationship_type": "uses",
"description": "ZergHelper \"abuses enterprises certificate and personal certificates to sign and distribute apps, which may include code that hasn\u2019t been reviewed, or abuse private APIs.\"",
"source_ref": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0",
"target_ref": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"source_name": "ZergHelper",
"description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"
}
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"type": "identity",
"id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-06-01T00:00:00.000Z",
"modified": "2017-06-01T00:00:00.000Z",
"name": "The MITRE Corporation",
"identity_class": "organization",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_version": "1.0"
},
{
"type": "marking-definition",
"id": "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-06-01T00:00:00Z",
"definition_type": "statement",
"definition": {
"statement": "Copyright 2017, The MITRE Corporation"
},
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
]
}
]
}