{
"type": "bundle",
"id": "bundle--eeb1ff74-2747-4602-96fb-e7b220361101",
"spec_version": "2.1",
"objects": [
{
"type": "x-mitre-collection",
"id": "x-mitre-collection--dac0d2d7-8653-445c-9bff-82f934c1e858",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"name": "Mobile ATT&CK",
"x_mitre_version": "5.0",
"description": "ATT&CK for Mobile is a matrix of adversary behavior against mobile devices (smartphones and tablets running the Android or iOS/iPadOS operating systems). ATT&CK for Mobile builds upon NIST's Mobile Threat Catalogue and also contains a separate matrix of network-based effects, which are techniques that an adversary can employ without access to the mobile device itself.",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-01-17T12:56:55.080Z",
"modified": "2019-07-19T17:44:53.176Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contents": [
{
"object_ref": "x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e",
"object_modified": "2019-07-03T19:24:27.636Z"
},
{
"object_ref": "x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_modified": "2017-06-01T00:00:00.000Z"
},
{
"object_ref": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c",
"object_modified": "2019-07-27T00:09:33.254Z"
},
{
"object_ref": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12",
"object_modified": "2019-07-16T15:35:20.554Z"
},
{
"object_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1",
"object_modified": "2019-07-19T17:44:53.176Z"
},
{
"object_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"object_modified": "2019-07-19T17:44:53.176Z"
},
{
"object_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c",
"object_modified": "2019-07-19T17:44:53.176Z"
},
{
"object_ref": "course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9",
"object_modified": "2019-07-19T17:44:53.176Z"
},
{
"object_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433",
"object_modified": "2019-07-19T17:44:53.176Z"
},
{
"object_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"object_modified": "2019-07-19T17:44:53.176Z"
},
{
"object_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"object_modified": "2019-07-19T17:44:53.176Z"
},
{
"object_ref": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124",
"object_modified": "2019-07-19T17:44:53.176Z"
},
{
"object_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58",
"object_modified": "2019-07-19T17:44:53.176Z"
},
{
"object_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"object_modified": "2019-07-19T17:44:53.176Z"
},
{
"object_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321",
"object_modified": "2019-07-19T17:44:53.176Z"
},
{
"object_ref": "course-of-action--d2a199d2-dfea-4d0c-987d-6195ed17be9c",
"object_modified": "2019-07-19T17:44:53.176Z"
},
{
"object_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"object_modified": "2019-07-19T17:44:53.176Z"
},
{
"object_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"object_modified": "2019-07-19T17:44:53.176Z"
},
{
"object_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8",
"object_modified": "2019-03-11T15:13:40.243Z"
},
{
"object_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--08784a9d-09e9-4dce-a839-9612398214e8",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--b6d3657a-2d6a-400f-8b7e-4d60391aa1f7",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858",
"object_modified": "2019-07-14T21:44:43.946Z"
},
{
"object_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--c8770c81-c29f-40d2-a140-38544206b2b4",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--172444ab-97fc-4d94-b142-179452bfb760",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--f9854ba6-989d-43bf-828b-7240b8a65291",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--2074b2ad-612e-4758-adce-7901c1b49bbc",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"object_modified": "2019-07-14T21:33:23.330Z"
},
{
"object_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--c80a6bef-b3ce-44d0-b113-946e93124898",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--28e39395-91e7-4f02-b694-5e079c964da9",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--d89c132d-7752-4c7f-9372-954a71522985",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--56660521-6db4-4e5a-a927-464f22954b7c",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4",
"object_modified": "2018-12-11T20:40:31.461Z"
},
{
"object_ref": "x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff021c95b",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd5494fc",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
"object_modified": "2019-02-03T15:07:22.709Z"
},
{
"object_ref": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483",
"object_modified": "2019-02-03T16:56:41.200Z"
},
{
"object_ref": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
"object_modified": "2018-10-17T01:05:10.701Z"
},
{
"object_ref": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58",
"object_modified": "2019-02-03T17:05:31.465Z"
},
{
"object_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"object_modified": "2019-02-03T14:28:26.995Z"
},
{
"object_ref": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2",
"object_modified": "2018-10-17T01:05:10.699Z"
},
{
"object_ref": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2",
"object_modified": "2018-10-17T01:05:10.699Z"
},
{
"object_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--a0464539-e1b7-4455-a355-12495987c300",
"object_modified": "2019-02-03T14:51:19.932Z"
},
{
"object_ref": "attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09",
"object_modified": "2018-10-17T01:05:10.703Z"
},
{
"object_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"object_modified": "2019-02-03T17:31:51.215Z"
},
{
"object_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"object_modified": "2019-02-03T14:08:44.916Z"
},
{
"object_ref": "attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b",
"object_modified": "2018-10-17T01:05:10.700Z"
},
{
"object_ref": "attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a",
"object_modified": "2018-10-17T01:05:10.703Z"
},
{
"object_ref": "attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6",
"object_modified": "2019-02-03T14:34:59.071Z"
},
{
"object_ref": "attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34",
"object_modified": "2019-02-03T15:16:13.386Z"
},
{
"object_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"object_modified": "2019-02-03T14:32:59.309Z"
},
{
"object_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--393e8c12-a416-4575-ba90-19cc85656796",
"object_modified": "2019-02-03T14:54:29.631Z"
},
{
"object_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4",
"object_modified": "2019-07-19T17:44:53.176Z"
},
{
"object_ref": "attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f",
"object_modified": "2018-10-17T01:05:10.702Z"
},
{
"object_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d",
"object_modified": "2019-02-03T16:28:52.821Z"
},
{
"object_ref": "attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5",
"object_modified": "2019-02-03T15:06:10.014Z"
},
{
"object_ref": "attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"object_modified": "2019-02-03T15:10:41.460Z"
},
{
"object_ref": "attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5",
"object_modified": "2019-02-03T15:19:22.439Z"
},
{
"object_ref": "attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9",
"object_modified": "2018-10-17T01:05:10.701Z"
},
{
"object_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
"object_modified": "2019-07-19T17:44:53.176Z"
},
{
"object_ref": "attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799",
"object_modified": "2018-10-17T01:05:10.699Z"
},
{
"object_ref": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d",
"object_modified": "2019-02-03T14:15:21.946Z"
},
{
"object_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"object_modified": "2019-07-19T17:44:53.176Z"
},
{
"object_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
"object_modified": "2019-02-03T17:08:07.111Z"
},
{
"object_ref": "attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431",
"object_modified": "2018-10-17T01:05:10.703Z"
},
{
"object_ref": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d",
"object_modified": "2019-04-29T19:35:30.985Z"
},
{
"object_ref": "attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc",
"object_modified": "2018-10-17T01:05:10.704Z"
},
{
"object_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
"object_modified": "2019-02-03T14:46:13.331Z"
},
{
"object_ref": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df",
"object_modified": "2018-10-17T01:05:10.704Z"
},
{
"object_ref": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69",
"object_modified": "2019-07-19T17:44:53.176Z"
},
{
"object_ref": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"object_modified": "2019-02-03T14:24:47.779Z"
},
{
"object_ref": "attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468",
"object_modified": "2019-02-03T14:23:10.576Z"
},
{
"object_ref": "attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"object_modified": "2019-02-03T14:30:05.159Z"
},
{
"object_ref": "attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
"object_modified": "2019-07-19T17:44:53.176Z"
},
{
"object_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16",
"object_modified": "2018-10-17T01:05:10.701Z"
},
{
"object_ref": "attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a",
"object_modified": "2019-02-03T14:16:59.424Z"
},
{
"object_ref": "attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"object_modified": "2019-02-03T15:00:50.984Z"
},
{
"object_ref": "attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed",
"object_modified": "2019-02-03T15:17:11.346Z"
},
{
"object_ref": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3",
"object_modified": "2019-02-03T15:15:18.023Z"
},
{
"object_ref": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5",
"object_modified": "2019-02-03T14:13:24.168Z"
},
{
"object_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"object_modified": "2019-02-03T14:52:45.266Z"
},
{
"object_ref": "attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881",
"object_modified": "2018-10-17T01:05:10.700Z"
},
{
"object_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"object_modified": "2019-02-03T14:48:12.871Z"
},
{
"object_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"object_modified": "2019-02-01T19:35:03.596Z"
},
{
"object_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
"object_modified": "2019-02-01T19:34:17.460Z"
},
{
"object_ref": "attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e",
"object_modified": "2019-02-03T17:03:45.255Z"
},
{
"object_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"object_modified": "2019-02-03T14:40:46.177Z"
},
{
"object_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380",
"object_modified": "2019-02-01T17:29:43.503Z"
},
{
"object_ref": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
"object_modified": "2019-07-19T17:44:53.176Z"
},
{
"object_ref": "relationship--ab7cd212-7faa-46a8-9666-92a67ae7a6b0",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--681d5e61-9412-4c58-bef1-c6ef7bffcb0c",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--24bcb2cd-1532-4e98-a485-a55e06d2577d",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--f157970b-4782-46d0-abdd-000ae6eea14b",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--0a28b2f2-ca0e-4d9f-9840-26e8ce944012",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--a7cc0168-247d-4a6d-b6f4-d5a04f99216c",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--cc49561f-8364-4908-9111-ad3a6dcd922c",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--c3c2bf20-fa33-4af4-92ec-d60679e1d4ee",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--7e00d3ac-a97a-4db0-9699-7474d81413a8",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--3ae62d66-6405-413f-86e3-ccdb66fac7ba",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--ac53e382-a140-4bbf-a59d-db3fe21acfaa",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--01965668-d033-4aca-a8e5-71a07070e266",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--79f04c05-8299-4e5e-b4c1-3f82637fa47a",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--c53170a0-ca7f-4827-9c3c-1803ecd131f9",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--6186ed87-69a1-43e7-bb60-76527d287e31",
"object_modified": "2019-04-29T19:35:31.074Z"
},
{
"object_ref": "relationship--f4e4c3ae-4c4d-4eba-8330-022464cbf828",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--afc0f502-39bb-41e3-b4fc-5b5bb1a1175b",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--fe3ac79b-8bd2-4d95-805c-6a38de402add",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--554ec347-c8b2-43da-876b-36608dcc543d",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--ef7f8f51-6aea-4f5c-9c96-f353a14cf062",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--18afa4ad-4fd7-47ad-acdb-3b298b640d3c",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--f7c5c344-4310-4e2a-a5aa-133f3d132fff",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--6885280e-5423-422a-94f1-e91d557e043e",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--d22dc053-24a7-4a5b-ae51-8a626569ec9b",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--4d2d892c-9d3a-445c-b9bf-1eab45703dcc",
"object_modified": "2019-07-03T20:25:14.031Z"
},
{
"object_ref": "relationship--634e2691-341f-4e5b-83e7-e28369d88c64",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--a8079e6a-ef87-4e3b-9f71-cf1ea2360892",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--bee6407a-1f05-4f91-b6e7-a8f8b58fa421",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--efcfe1a3-3351-4b4f-ae36-101f103b4798",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--bc0d2cbb-30fa-40e6-a250-bf6e5d8f9005",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--db3fc82d-d353-438d-aa5e-9b5e7e60f0ac",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--c761ed82-24cc-4c40-94ef-c4d0f4d1cd7a",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--0791f28b-d06f-4fee-9cdb-85a6fd2eed61",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--8e94da58-86b7-4a45-886e-6da58828eacd",
"object_modified": "2019-06-18T13:39:55.439Z"
},
{
"object_ref": "relationship--6d8ea31a-da35-442a-8e0d-1d0c0dcdf14b",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--7b899be0-4a9c-4e52-aeab-d8acedfe26d0",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--4df969b3-f5a0-4802-b87e-a458e3e439ed",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--8ed14c81-0b30-4bfc-8552-439aa0e920c3",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--0f7e7c29-43f0-4aff-ae83-dfff331915ef",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--34cd9b65-70c5-4be4-958c-32dc4673934c",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--a25d58af-dbb3-4025-b91d-898c6adffcb3",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--3c291ee5-1782-4e5b-8131-5188c7388f45",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--0008005f-ca51-47c3-8369-55ee5de1c65a",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--2de76a24-ec87-4808-b0d3-b84d318ac22c",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--2388ba94-8e49-40d0-a697-eea948e6cfb6",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--8ccfab20-58cf-4af6-9fb0-6bbf59258ac9",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--2bd272ca-8a14-42cd-9664-6cc6f7451e42",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--7baa3cab-c4f8-4b91-a6c3-189ad7a6416c",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--5b14149e-09f1-4d38-82bc-0ff3cff8b650",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--b28c1e81-4f78-4e40-9899-2872cdbcceba",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--690111d3-c281-4d55-a7ed-73b8dab72a85",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--513c05e2-afc6-4d1b-8a8e-6d6935a8626f",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--b81ba10a-73c2-4616-a8bc-eeb422e1c5ea",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--980c49f8-d991-4e1f-8feb-6173e3dfca1f",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--fab8c40d-b934-4ee0-8e83-f017af2e347a",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--81fb62ac-ba04-48d2-8817-52d0652f61a0",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--a7b276ac-6f07-4d1f-8d24-dc5682acf62d",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--4088b31b-d542-4935-84b4-82b592159591",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--a2323d47-348c-4e3c-9c25-7feb20e2e457",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--f0851531-e554-4658-920c-f2342632c19a",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--fb6458b0-01b8-4c3f-b0f2-ef5d5bd9f6a8",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--05c87985-4f8a-4a38-b1cd-ab01f0a628ed",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--45a48a16-66ba-444e-89d2-61c163b956da",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--ee0afd88-a0fc-4b1d-b047-9b9bf04d36fe",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--ed06f5dc-9d02-4896-a0a3-2f457c64f125",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--5f82db63-d7c2-43c7-a056-3cf718201ced",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--b5097495-f417-46ed-88e2-02cba2371936",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--e84ad4b0-9f7a-48a5-89ae-33804b11eb56",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--35c67a18-7e8d-4bd5-9fe1-35b1ac3f401f",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--dfe6d454-1a24-4c42-97eb-4ddfd1dbb09b",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--833b4c44-7370-4b27-b9b2-a058c27dcf8c",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--b4180067-52b6-4109-91df-52fd9a7ed2e8",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--4f2ae057-ef0b-4995-b24d-348a76a74a4f",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--29dc105c-0b1b-4645-85ef-436c096bd3e2",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--fb5c6c5e-53d4-4bb9-b9cf-74170058b19b",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--a5b72279-f99e-4f03-8669-04322b40ee6b",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--95f4db59-e0b4-4c1b-b888-1fc76b21e8c0",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--b2c61294-707f-4735-8874-e36ed6c1ff47",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--85c7e956-3ce5-4495-b52e-385ae2ee4f9b",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--2979b822-3f0e-4cd6-b2dc-ea6da72008ed",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--f6a451e8-2125-4bbe-be52-e682523cd169",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--51457698-e98b-435a-88c2-75a82cdc2bda",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--1218ed50-bd44-4f37-baba-1aae998b5a1f",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--b2b31911-5b7e-4df3-89c6-00b5b372fb4f",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--cda9f3cf-01e4-41b3-8e45-4dda9fe5eb30",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--3faed885-6a3d-444f-8e57-fd8818abb1cc",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--aa8e45c2-4276-451b-b1eb-59c396bf720a",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--54151897-cc7e-4f92-af50-bed41ea78d92",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--bbf13431-c3d2-4800-aada-273b3a47dcba",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--94040d2e-3f60-423c-8a93-a83b61cafe7d",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--e4019493-bd52-4011-9355-8902be6ff3f3",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--d54bdaff-8eb8-4a02-9f64-bc33c892e9d1",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--be2895e2-7e1d-4467-8b6a-ac06b17ce0bb",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--5f6f5913-cade-4b14-aa96-5a921b0927a7",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--6f1cadef-283b-466b-bfa2-0cb51edf88f7",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--50986206-ad56-4dea-baed-846545fb2f5a",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--62480750-2218-4ea0-b168-b9035b9ee998",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--f0a81b31-97ce-403b-90e9-7a910a93a31f",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--bf2ea132-c8f3-4ea0-8c4c-bdc95923c3b1",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--34351abd-1f58-420a-a893-ad822839815d",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--721cc30c-74cf-4eed-89a8-7a8e63e6c0e1",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--85328449-c231-444d-905a-2988c14d3e82",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--0569a1e0-1eb5-4e87-ae09-b698571012ef",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--1cca5e17-80ae-4b6e-8919-2768153aa966",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--3ebcd3d8-dd8e-4cc9-8087-ce9e93df6f56",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--f8277cd5-b14a-4b59-9f29-8ce24dfbdf5e",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--6b41d649-bcd0-4427-baa1-15a145bace6e",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--8cb42e3d-69f4-4b0d-98c9-0bb7560947c1",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--a4b53160-fdb8-4cab-90cc-ad12ab13a8a0",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--4a697724-4457-436b-97ad-9d6f445fb6b0",
"object_modified": "2019-02-03T16:56:41.477Z"
},
{
"object_ref": "relationship--a3dab73a-0af2-44c3-ba33-9b20133ae5cf",
"object_modified": "2019-02-03T17:31:51.751Z"
},
{
"object_ref": "relationship--7260c8fe-6b3b-48a2-889f-f329fb5b4ef0",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--3b0cb886-dabc-4622-b91f-3851e2a71bf2",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--78cc0d6d-6347-45a4-a18c-ca76150aa7a9",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--69d6f3fc-17ea-4a32-b4dd-a006c75362d6",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--ac523dfb-36be-4402-acf2-abe98e183eef",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--19df76ee-fa85-43cf-96ce-422d46f29a13",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--c9b3d86a-9c5e-4fe3-9c1c-dbd0bb89a74b",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--7accde36-cb29-43c6-8c66-6486efd867a8",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--cd503879-ccb4-4d47-af5a-90fe7e37c438",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--f989562f-41a8-46d3-94ba-fca7269ae592",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--16f55053-285d-411d-881c-6f8c1bdef8d7",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--b18aa181-b1b7-43dd-9389-16a13ef2a6ed",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--aa39b402-7ecc-4057-a989-663887e540e7",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--1c42ee3a-c400-4de6-84aa-b254422af7b9",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--9f737872-3503-4ef4-b575-ab6037b33a98",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--15a2702e-4e49-4255-909d-bbf94abfd1d7",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--d7ae7fb1-c363-4969-a4af-e2dd44a3c064",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--da4296d7-5fdb-45b6-9791-b023d634c08d",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--a01af4da-0910-4a20-805f-86b3ae1dc046",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--74155759-4c76-42d3-b64f-a898f7b582f9",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--3a446bee-007b-4b1f-849e-60e9d39c2e92",
"object_modified": "2019-02-03T17:03:45.451Z"
},
{
"object_ref": "relationship--27247071-356b-4b5f-bc8f-6436a3fec095",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--789cb76e-27b0-4762-a2f7-3ff32ce0762d",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--cfa1d194-7401-46ba-bfed-5f311aeb22d3",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--7d481598-ece7-469c-b231-619a804c25e5",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--1ed76ca9-0ed6-40f9-89c6-64662fdd447d",
"object_modified": "2019-07-03T20:25:14.030Z"
},
{
"object_ref": "relationship--024f9ee4-cb7d-49f4-b180-ad1e5e168a4c",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--3e3cad6c-dd73-43c9-bf99-d4796ba97fb1",
"object_modified": "2019-07-27T00:09:37.634Z"
},
{
"object_ref": "relationship--0cae6859-d7d1-483b-b473-4f32084938a9",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--3d24d88e-a0ab-42c6-8e8f-11f721082bba",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--373f33be-9b40-44f5-bfd3-db2a9f5fa72c",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--5ced57a7-b674-40d4-98b8-a090963a6ade",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--319d46b5-de41-4f23-9001-2fa75f954720",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--e183af70-44d5-4d56-9aad-753eb4c1c964",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--d98a030f-c551-4fd0-9948-32e1ea01f79c",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--dfc1f490-f8b9-4287-8c79-652d42f0a64a",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--b1f2770e-11f0-429c-9bac-9fa5bc5859b0",
"object_modified": "2019-07-10T15:16:17.089Z"
},
{
"object_ref": "relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--b596251a-73db-4e53-a04d-51be783b0241",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--22290cce-856a-46d5-9589-699f5dfc1429",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--d8d773ab-b0e3-484b-bdb8-c1a1ab48d218",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--c65661a6-6047-4901-ac2c-3ca4b1bbbb28",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--e9cbc901-38cb-4895-9dfb-7a4fe10ba6d7",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--70367e5c-15e0-4bcd-b538-7a90c4eefd30",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--9e66ec3b-cdd6-461c-bd84-e75316818e15",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--9e83607e-2936-4f25-b6d2-c357846840f3",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--49f0f7b8-7208-4650-89c2-5d6b1f166113",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--0977107c-9dd3-4cc5-b769-7e29da9f4bb6",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--d6930d98-f8a2-4556-baa4-95275d3fa23d",
"object_modified": "2019-07-03T20:26:34.202Z"
},
{
"object_ref": "relationship--0e9edc13-7af7-43c4-8ec2-636b1f8cb7f1",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--789699c2-44f1-4280-bf86-ab23e6a13e84",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--2065382f-45ae-4b9a-a77c-027ecd6c1735",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--18d3f4c7-2888-4d27-9ac7-b7ade1a1c04c",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--e87aa0d6-241f-4f72-bdb6-54e8d5584ae2",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--b2c289bf-e981-4bcd-87dd-b6c0680557e9",
"object_modified": "2019-02-03T16:56:41.449Z"
},
{
"object_ref": "relationship--b7282bf9-63f8-49ad-8ee0-f2ad523a367e",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--f6098dca-3a9e-4991-8d51-1310b12161b6",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--63e67cba-4eae-4495-8897-2610103a0c41",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--e0ebf0cd-9244-4cef-9171-128a12b87b58",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--4d7e937d-7ea1-49cb-939c-5244815e51d7",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--57474dcb-329d-4135-8f1a-87490bffdaef",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--b23ec81b-8610-4bb0-a837-2c316c67fa79",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--c5b80ca7-eceb-43ea-991e-10af5d9ca4bc",
"object_modified": "2019-07-03T20:20:15.575Z"
},
{
"object_ref": "relationship--6bb99599-aa51-4492-9c79-296a772233b4",
"object_modified": "2019-07-03T20:25:14.045Z"
},
{
"object_ref": "relationship--706c698c-aa8d-4fac-a6c1-2e047c3f965c",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--e2ee6825-43c2-441f-ba96-404a330a9059",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--bedb2088-2f26-4380-84df-f238f514dd4c",
"object_modified": "2019-02-03T17:31:51.765Z"
},
{
"object_ref": "relationship--4454a696-7619-40ee-971b-cbf646e4ee61",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--8d027310-93a0-4046-b7ad-d1f461f30838",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--bb3be217-08e2-4bb0-9f1a-d8e538010451",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--b3bb33bf-9034-4d5c-8ea0-31d3bbd12b6b",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--dc6eb5d7-acef-4eb4-bece-4e8c90c914dc",
"object_modified": "2019-02-03T16:28:53.074Z"
},
{
"object_ref": "relationship--6f8b3839-ea91-44d5-ba68-b9d1e6076c19",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--3f3d63f0-1f03-4931-9624-10eaf4b207b4",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--bebf345c-21d5-410f-9015-90c144161e5d",
"object_modified": "2019-07-03T20:25:14.051Z"
},
{
"object_ref": "relationship--4caf3ad1-6ef8-42de-851d-bdc3a22977b3",
"object_modified": "2019-07-03T20:26:34.204Z"
},
{
"object_ref": "relationship--2555c438-cd9f-49ed-93f6-a935a9861c54",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--e75c623a-f9ac-4f46-b093-dd0e40b50cc6",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--c83c84e8-a556-4efe-ae24-75970ee8ad4b",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--638f3d4b-f1d4-4c61-91a0-7c125ef8437a",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--c374c9ce-ff30-4daa-bdec-8015a507746a",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--bc4e848a-adb7-40a2-94a1-d5ab9854ff0f",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--4f366c8c-9c70-44ed-baa8-d433d5dbfe49",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--f5fab17b-43e7-46ff-bdea-eb8c52a0c6c3",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--6086e1e2-1b39-4ff2-910e-4a4eb86d57b7",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--14143e21-51bf-4fa7-a949-d22a8271f590",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--bd351b17-e995-4528-bbea-e1138c51476a",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--2a287c91-2792-407f-a9ee-8153a802b7c6",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--f6fa0801-418e-43e5-bfae-332e909624fc",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--095f71ad-9a93-45ce-9b77-a101f6c894de",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--290a627d-172d-494d-a0cc-685f480a1034",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--910009da-65c0-4e6a-aeb2-386c643d1c0e",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--13efc415-5e17-4a16-81c2-64e74815907f",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--f6770c26-ae93-468d-acaa-ab4ffea0e047",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--93103ac2-0e3b-4f0f-a054-7f9b947b3172",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--92333055-88ce-4db2-a589-e0e1e617d8e0",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--70f8cbed-b20d-4ff2-ad02-8d78e7d49159",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--433ba5b0-76eb-49e1-a2ed-e54994e94041",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--077da2d7-0913-4040-b25e-2f6913ed4ea0",
"object_modified": "2019-07-23T15:35:23.547Z"
},
{
"object_ref": "relationship--72d7fa07-e559-4e35-b791-64b7bf8a0aef",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--8aa790cc-0d42-4114-8cbe-783abc595b8b",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--ce6c7f21-91a5-4d63-bd03-a6b57e025afe",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--465ff71b-2b1b-43b6-ab78-afb273d956d2",
"object_modified": "2019-07-10T15:16:17.097Z"
},
{
"object_ref": "relationship--fa1da6db-da32-45d2-98a8-6bbe153166da",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--3498d304-48e3-4fe4-a3ab-fc261104f413",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--2c48d774-99b0-4d69-b485-1a8ef1f23808",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--05563777-5771-4bd6-a1af-3e244cf42372",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--f62e0aaf-e52f-40b9-a059-001f298a0660",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--5a7295a2-ad95-4362-8b2c-9265ad5c73b0",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--69bb264a-3f44-4132-9248-dd80a9f5efa2",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--5a6df1dd-9aa4-4f67-9195-8c3a9f5c0f7a",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--a290a8ca-e650-456c-b33e-03343fe5ea4e",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--f552ee2f-5e6a-47a1-b6a5-d5e5594feb0d",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--9e3921a8-a9e1-48c4-9b61-ff190c104f63",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--5012c647-9b58-4a4f-b64f-468c9b76a60c",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--7ec08d5c-73a1-4444-bd27-892090d6b2e3",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--26a9db86-5ecf-400a-bdd9-419448c2f776",
"object_modified": "2019-02-03T16:28:53.048Z"
},
{
"object_ref": "relationship--903660e1-3996-4ed2-9e7a-4f8c397a71eb",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--2bedbf86-2ef0-45bf-950d-b9d072c03bdc",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--9c7c302a-d5ba-4fc9-a4e5-e865fd7fb708",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--5b9a54cd-4925-4a2b-ad61-27d70e673093",
"object_modified": "2019-02-03T17:05:31.587Z"
},
{
"object_ref": "relationship--9d621873-6d3c-4660-be9a-57e2e8648236",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--69718f1d-7761-41ae-b9d0-12c45f6b4ac4",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--06348e22-9a06-4e4c-a57c-e438462e7fce",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--eb27258f-6bb9-49b5-928e-b66f37f8f16e",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--a3f36e9e-e2f4-4745-a9a3-0d1231db116d",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--94a737af-9a72-48f6-a85e-d9d7fa93bfdd",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--08e7c0ad-f2d7-472c-97de-3627ca5d2991",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--37c4a0cf-0552-46fd-b067-419b15833044",
"object_modified": "2019-02-03T17:08:07.545Z"
},
{
"object_ref": "relationship--69efe716-affe-419e-ac06-924d2e416695",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--42ae42eb-ea75-457a-bf39-4ea04304dd0b",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--d87b468e-f610-4e95-8dfb-8cf029f0e891",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--51186ad6-e721-49cf-9cf7-89466d5f29f4",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--3230c032-17e0-49f7-b948-c157049aafe2",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--31942635-81b1-4657-8882-50fb97fae64b",
"object_modified": "2019-07-03T20:21:22.321Z"
},
{
"object_ref": "relationship--ebdb9385-6311-4532-b021-2da48734aab7",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--4fc45b06-287d-4151-9f5a-37bb34dcdeec",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--b67f04d9-1cbd-49b4-9ec3-a33a41ac42ab",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--6eca2456-fdcf-42e9-bcbb-a4c51ce54139",
"object_modified": "2019-02-03T17:08:07.489Z"
},
{
"object_ref": "relationship--73d78f2c-dd3b-469c-a622-e2e89cb521d3",
"object_modified": "2019-02-03T17:08:07.516Z"
},
{
"object_ref": "relationship--de1b1f92-c060-4d8c-81bf-465b7fb21be4",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--b4e055cf-f77e-4888-9610-6cd328e035c8",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--50c81a85-8c70-48df-a338-8622d2debc74",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--3644d1dd-8d9f-4a89-a618-c6b22c2a1a96",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--3f973c3c-45f8-432a-9859-e8749f2e7418",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--be136fd1-6949-4de6-be37-6d76f8def41a",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--834c9a7e-6520-486d-ba60-c3a8b2f9eb1a",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--3c2d7ccc-5980-4012-8aab-64979bcd0ea6",
"object_modified": "2019-02-03T16:56:41.438Z"
},
{
"object_ref": "relationship--ef977f9e-c505-449f-883a-915c1de1015f",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--68e5789c-9f60-421e-9c79-fae207a29e83",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--f947d845-4d70-41f3-ae3c-18ea8b44e667",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--450a1b75-efa5-4d7a-bcd5-d3e63723b408",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--b7652f27-1cf6-4310-bf6b-5fb99c4fd725",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--b263e4e9-972d-4ba7-8be8-e55eb6a483c0",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--55f12292-dc9d-4bfd-9de9-2d07cd67b044",
"object_modified": "2019-07-23T15:35:23.560Z"
},
{
"object_ref": "relationship--a7336f2c-8f89-4d54-ac2b-77743afb2943",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--2cdd5474-620c-499e-8b9c-835505febc2c",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--93a524e2-cb17-4b40-8640-a03949e89775",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--6c0491ee-53e0-44ae-bcd0-253fc47de61e",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--0818895a-0d6d-47cc-ad34-a09bdb76a81b",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--6407562a-d297-43cd-95df-aec9cf501ce2",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--83991b5c-59b9-4fe5-9ef2-39c6ddc8b835",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--ba556d98-4ff2-43a4-bb93-52f99265ff99",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--abd2e863-4bd3-4686-b2aa-f8a097a41c99",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--aaf55dd1-33df-4f02-8025-eaae01f30b33",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--8d435703-05c0-4320-945c-05ebe1b06399",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--7fcfc36b-bebc-481f-b9af-b65008b045ec",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--81db3270-4cb8-4982-8ff8-c28a874e8421",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--51757971-17ac-40c3-bae7-78365579db49",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--a3ba222d-8dcd-4222-b1d0-169eff16922f",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--92129d5b-7822-4e84-8a69-f96b598fba9e",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--ffddcabb-0f03-46ae-abd6-7ab94e91b055",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--93c20f43-6684-471c-910f-d9577f289677",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--09fa9342-34cb-4f0d-8cdf-df4d51d0ae12",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--00b20e5c-5f52-4a07-bfec-e30872e793e3",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--4cf9511e-da0e-4055-bc8c-56121ae120d2",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--69de3f7e-faa7-4342-b755-4777a68fd89b",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--71490fdb-e271-4a67-b932-5288924b1dae",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--86696d32-0af7-4308-b1fe-52306b9f839a",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--ffc24804-42db-4be1-a418-7f5ab9de453c",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--7af7d094-3a49-4e5e-99d0-385c79f95f06",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--7017085c-c612-48b2-b655-e18d7822d0e7",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--9ea81224-70ef-46c2-89d4-2261c11789b4",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--935fd3e3-dd47-4c43-bdd8-1668af26395f",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--96027d55-0bdb-4f5f-a559-66c93eab3a17",
"object_modified": "2018-10-17T00:14:20.652Z"
},
{
"object_ref": "relationship--566555df-fe3c-4d8b-94b7-6bf3bbd69973",
"object_modified": "2019-03-11T15:13:40.480Z"
},
{
"object_ref": "relationship--919a13bc-74be-4660-af63-454abee92635",
"object_modified": "2019-03-11T15:13:40.408Z"
},
{
"object_ref": "relationship--a82d3cfb-7ef2-4e39-a6e1-3097d7b106f7",
"object_modified": "2019-03-11T15:13:40.425Z"
},
{
"object_ref": "relationship--352fabc8-48fe-4190-92b3-49b00348bb22",
"object_modified": "2019-03-11T15:13:40.454Z"
},
{
"object_ref": "relationship--dc6514a0-2e9c-4f29-8c15-99e6d382e357",
"object_modified": "2019-07-14T21:44:44.459Z"
},
{
"object_ref": "relationship--6f63395f-a826-45e2-8d3b-dccd6375f54d",
"object_modified": "2019-07-14T21:44:44.660Z"
},
{
"object_ref": "relationship--7a50961b-9be4-4042-a6a0-878b612c520e",
"object_modified": "2019-07-14T21:44:44.456Z"
},
{
"object_ref": "relationship--b53d1c92-b71f-434e-aa4f-08b8db765248",
"object_modified": "2019-07-14T21:44:44.664Z"
},
{
"object_ref": "relationship--29c45d94-f985-4128-b845-bf1159d606cb",
"object_modified": "2019-07-14T21:44:44.661Z"
},
{
"object_ref": "relationship--be39c012-7201-4757-8cd6-c855bc945a9e",
"object_modified": "2019-07-14T21:44:44.663Z"
},
{
"object_ref": "relationship--2341fdfa-9699-4798-a35a-2cc4f150cd14",
"object_modified": "2019-07-14T21:33:23.454Z"
},
{
"object_ref": "relationship--9366529d-fba9-4ef6-b4ee-b6b41aa3b18c",
"object_modified": "2019-07-14T21:33:23.471Z"
},
{
"object_ref": "relationship--48486680-530c-4ed9-aca3-94969aa262b6",
"object_modified": "2019-07-14T21:33:23.504Z"
},
{
"object_ref": "relationship--f4d5e619-7c83-4845-aecd-de62c33cc0a1",
"object_modified": "2019-07-14T21:33:23.506Z"
},
{
"object_ref": "relationship--12d61e7d-7fa6-422d-9817-901decf6b650",
"object_modified": "2019-07-14T21:33:23.530Z"
},
{
"object_ref": "relationship--7e2d9773-1320-4c8f-a595-2b92bf0fd8ed",
"object_modified": "2019-07-14T21:33:23.528Z"
},
{
"object_ref": "relationship--ce8cc50a-f3c9-4a6a-b6be-f3e8bdd293bd",
"object_modified": "2019-07-14T21:33:23.558Z"
},
{
"object_ref": "relationship--60ecd154-e907-419a-b41d-1a9a1f59e7c3",
"object_modified": "2019-07-14T21:33:23.556Z"
},
{
"object_ref": "relationship--04530307-22d8-4a06-9056-55eea225fabb",
"object_modified": "2019-07-14T21:33:23.577Z"
},
{
"object_ref": "relationship--a8ac5084-5631-4670-8ac6-6fbe7bdb0a84",
"object_modified": "2019-07-14T21:33:23.588Z"
},
{
"object_ref": "relationship--32625429-e05a-48a5-8f0b-53c6046e9b1a",
"object_modified": "2019-07-14T21:33:23.589Z"
},
{
"object_ref": "relationship--fb587f81-1300-438d-a33b-f8d08530788b",
"object_modified": "2019-07-14T21:33:23.601Z"
},
{
"object_ref": "relationship--ae9a0fb3-901b-4da2-b6ad-633ddbfa0a5f",
"object_modified": "2019-07-16T15:35:21.028Z"
},
{
"object_ref": "relationship--61071d73-fcdf-4820-afd0-e3f0983e0a71",
"object_modified": "2019-07-16T15:35:20.953Z"
},
{
"object_ref": "relationship--fbd2d4f7-96ff-4624-a567-d4882f0c10ca",
"object_modified": "2019-07-23T15:35:23.530Z"
},
{
"object_ref": "relationship--f2e23cb7-7bac-4938-91ea-7dd42b41ba29",
"object_modified": "2018-04-30T13:45:13.024Z"
},
{
"object_ref": "relationship--f825f5ea-3815-431f-b005-4c01b8b2fed9",
"object_modified": "2018-04-30T13:45:13.024Z"
},
{
"object_ref": "relationship--9d7ac1b2-3fa9-4236-b72d-5565f0c66eab",
"object_modified": "2019-02-01T17:38:06.098Z"
},
{
"object_ref": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c",
"object_modified": "2019-02-01T17:38:05.973Z"
},
{
"object_ref": "relationship--49fe6eac-73a7-4147-9121-85fb71fca4ed",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--8e49feb1-e401-4e63-acfa-7f8b9a8ca026",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--0673ca70-d403-4e49-8e18-de4bf8ab700c",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--bf859944-d097-45ba-ae01-2f85a00cad1f",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--cdb1ed75-d8a5-4088-b282-0b85588bbc8c",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--b104c62f-771c-46c5-afc4-a964a94cea50",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--1a62c9c7-2d3b-4ee7-87d1-d8774050c566",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--718949aa-6841-48d2-9343-f01be0aa32c1",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--64a6fb42-65ce-4160-a5c8-ac176f60a2ae",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--2f5da3a1-19da-421f-be48-cfdcd3c79be1",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--fa7b38df-eedc-469b-bcec-facdd8365231",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--047ab474-c4ec-4675-a817-1e0a9f8dd92f",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--ca7c3278-1d12-4e55-b320-39efa5a285db",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--a834341f-d909-41e3-adaf-5f3450e4090e",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--c2437c8b-709f-47e8-ae65-21ae48410a9e",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--3a9467d4-09df-4266-ba5a-d40309949e70",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--176ba064-0657-4850-baa3-626bc845efd3",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--69bdeed3-d6a8-4d10-8bf5-44c6cb4392e5",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--a912f528-5218-4e0b-a350-7e9012cccdf3",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--9adde9d7-4ba0-4e35-93ba-1e85e9eb16bc",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--1a493cb6-452f-46ce-a7b4-267eacd5d2ff",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--3baf01c5-591b-43a0-8963-506531313e68",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--aa23a2c6-ed8a-4453-95d1-f9a47e14b0f9",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--8f7c14bf-4c0f-4e54-99c2-41b511220b33",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--aaf0ae2f-07ea-479e-8419-e524e23dbaef",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--d792bffd-6745-4da6-a70f-2d5843ef05ca",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--fb371daf-2771-488f-90ca-5e08b9a36c5c",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--7c966cde-22fd-4eb2-b518-3e37a8fad88b",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--f14af74f-fb6b-480f-91de-d755c89960ce",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--7e4be913-d916-4a79-ac00-262a49afe070",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--6fce6a21-ab9b-44a5-be20-9b631109487b",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--9e77b80d-4981-4908-9203-c4e7cea5b5d8",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--0e81eb1d-cd1e-43e1-8c09-03927681ce76",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--e3a03a80-0e31-43ef-b802-d6f65c44896d",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--ebc0aa93-93ac-4b7e-ad87-9d5743a09c8e",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--8e4b2305-1280-4456-8ec7-93c66da5c674",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--c5d6fb25-1782-44c4-b3ae-0cd72e8a6d37",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--eb686f55-85de-42d8-a5a1-69a78af0f1f3",
"object_modified": "2018-10-23T00:14:20.652Z"
},
{
"object_ref": "relationship--40581c90-e948-4e91-8530-a9bc59cce9d7",
"object_modified": "2018-10-23T00:14:20.652Z"
}
]
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"name": "Collection",
"external_references": [
{
"external_id": "TA0035",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/tactics/TA0035"
}
],
"x_mitre_shortname": "collection",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "The command and control tactic represents how adversaries communicate with systems under their control within a target network. There are many ways an adversary can establish command and control with various levels of covertness, depending on system configuration and network topology. Due to the wide degree of variation available to the adversary at the network level, only the most common factors were used to describe the differences in command and control. There are still a great many specific techniques within the documented methods, largely due to how easy it is to define new protocols and use existing, legitimate protocols and network services for communication. \n\nThe resulting breakdown should help convey the concept that detecting intrusion through command and control protocols without prior knowledge is a difficult proposition over the long term. Adversaries' main constraints in network-level defense avoidance are testing and deployment of tools to rapidly change their protocols, awareness of existing defensive technologies, and access to legitimate Web services that, when used appropriately, make their tools difficult to distinguish from benign traffic.\n\nAdditionally, in the mobile environment, mobile devices are frequently connected to networks outside enterprise control such as cellular networks or public Wi-Fi networks. Adversaries could attempt to evade detection by communicating on these networks, and potentially even by using non-Internet Protocol mechanisms such as Short Message Service (SMS). However, cellular networks often have data caps and/or extra data charges that could increase the potential for adversarial communication to be detected.",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"name": "Command and Control",
"external_references": [
{
"external_id": "TA0037",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/tactics/TA0037"
}
],
"x_mitre_shortname": "command-and-control",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Credential access represents techniques that can be used by adversaries to obtain access to or control over passwords, tokens, cryptographic keys, or other values that could be used by an adversary to gain unauthorized access to resources. Credential access allows the adversary to assume the identity of an account, with all of that account's permissions on the system and network, and makes it harder for defenders to detect the adversary. With sufficient access within a network, an adversary can create accounts for later use within the environment.",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"name": "Credential Access",
"external_references": [
{
"external_id": "TA0031",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/tactics/TA0031"
}
],
"x_mitre_shortname": "credential-access",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. Defense evasion may be considered a set of attributes the adversary applies to all other phases of the operation.",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"name": "Defense Evasion",
"external_references": [
{
"external_id": "TA0030",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/tactics/TA0030"
}
],
"x_mitre_shortname": "defense-evasion",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Discovery consists of techniques that allow the adversary to gain knowledge about the characteristics of the mobile device and potentially other networked systems. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system may provide capabilities that aid in this post-compromise information-gathering phase.",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"name": "Discovery",
"external_references": [
{
"external_id": "TA0032",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/tactics/TA0032"
}
],
"x_mitre_shortname": "discovery",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from the targeted mobile device.\n\nIn the mobile environment, mobile devices are frequently connected to networks outside enterprise control such as cellular networks or public Wi-Fi networks. Adversaries could attempt to evade detection by communicating on these networks, and potentially even by using non-Internet Protocol mechanisms such as Short Message Service (SMS). However, cellular networks often have data caps and/or extra data charges that could increase the potential for adversarial communication to be detected.",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"name": "Exfiltration",
"external_references": [
{
"external_id": "TA0036",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/tactics/TA0036"
}
],
"x_mitre_shortname": "exfiltration",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "The impact tactic consists of techniques used by the adversary to execute his or her mission objectives but that do not cleanly fit into another category such as Collection. Mission objectives vary based on each adversary's goals, but examples include toll fraud, destruction of device data, or locking the user out of his or her device until a ransom is paid.",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"name": "Impact",
"external_references": [
{
"external_id": "TA0034",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/tactics/TA0034"
}
],
"x_mitre_shortname": "impact",
"modified": "2019-07-03T19:24:27.636Z",
"created": "2018-10-17T00:14:20.652Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "The initial access tactic represents the vectors adversaries use to gain an initial foothold onto a mobile device.",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"name": "Initial Access",
"external_references": [
{
"external_id": "TA0027",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/tactics/TA0027"
}
],
"x_mitre_shortname": "initial-access",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool.",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"name": "Lateral Movement",
"external_references": [
{
"external_id": "TA0033",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/tactics/TA0033"
}
],
"x_mitre_shortname": "lateral-movement",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "This category refers to network-based techniques that an adversary may be able to use to fulfill his or her objectives without access to the mobile device itself. These include techniques to intercept or manipulate network traffic to and from the mobile device.",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"name": "Network Effects",
"external_references": [
{
"external_id": "TA0038",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/tactics/TA0038"
}
],
"x_mitre_shortname": "network-effects",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Persistence is any access, action, or configuration change to a mobile device that gives an attacker a persistent presence on the device. Attackers often will need to maintain access to mobile devices through interruptions such as device reboots and potentially even factory data resets.",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"name": "Persistence",
"external_references": [
{
"external_id": "TA0028",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/tactics/TA0028"
}
],
"x_mitre_shortname": "persistence",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Privilege escalation includes techniques that allow an attacker to obtain a higher level of permissions on the mobile device. Attackers may enter the mobile device with very limited privileges and may be required to take advantage of a device weakness to obtain higher privileges necessary to successfully carry out their mission objectives.",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"name": "Privilege Escalation",
"external_references": [
{
"external_id": "TA0029",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/tactics/TA0029"
}
],
"x_mitre_shortname": "privilege-escalation",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "This category refers to techniques involving remote services, such as vendor-provided cloud services (e.g. Google Drive, Google Find My Device, or Apple iCloud), or enterprise mobility management (EMM)/mobile device management (MDM) services that an adversary may be able to use to fulfill his or her objectives without access to the mobile device itself.",
"type": "x-mitre-tactic",
"id": "x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"name": "Remote Service Effects",
"external_references": [
{
"external_id": "TA0039",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/tactics/TA0039"
}
],
"x_mitre_shortname": "remote-service-effects",
"modified": "2018-10-17T00:14:20.652Z",
"created": "2018-10-17T00:14:20.652Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"modified": "2017-06-01T00:00:00.000Z",
"type": "identity",
"identity_class": "organization",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"name": "The MITRE Corporation",
"id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-06-01T00:00:00.000Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. [APT28](https://attack.mitre.org/groups/G0007) has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)",
"aliases": [
"APT28",
"SNAKEMACKEREL",
"Swallowtail",
"Group 74",
"Sednit",
"Sofacy",
"Pawn Storm",
"Fancy Bear",
"STRONTIUM",
"Tsar Team",
"Threat Group-4127",
"TG-4127"
],
"id": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c",
"external_references": [
{
"external_id": "G0007",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/groups/G0007"
},
{
"source_name": "APT28",
"description": "(Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)"
},
{
"source_name": "SNAKEMACKEREL",
"description": "(Citation: Accenture SNAKEMACKEREL Nov 2018)"
},
{
"source_name": "Swallowtail",
"description": "(Citation: Symantec APT28 Oct 2018)"
},
{
"source_name": "Group 74",
"description": "(Citation: Talos Seduploader Oct 2017)"
},
{
"source_name": "Sednit",
"description": "This designation has been used in reporting both to refer to the threat group and its associated malware JHUHUGIT. (Citation: FireEye APT28 January 2017) (Citation: SecureWorks TG-4127) (Citation: Kaspersky Sofacy) (Citation: Ars Technica GRU indictment Jul 2018)"
},
{
"source_name": "Sofacy",
"description": "This designation has been used in reporting both to refer to the threat group and its associated malware. (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)"
},
{
"source_name": "Pawn Storm",
"description": "(Citation: SecureWorks TG-4127) (Citation: ESET Sednit Part 3)"
},
{
"source_name": "Fancy Bear",
"description": "(Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)"
},
{
"source_name": "STRONTIUM",
"description": "(Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3)"
},
{
"source_name": "Tsar Team",
"description": "(Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)"
},
{
"source_name": "Threat Group-4127",
"description": "(Citation: SecureWorks TG-4127)"
},
{
"source_name": "TG-4127",
"description": "(Citation: SecureWorks TG-4127)"
},
{
"source_name": "DOJ GRU Indictment Jul 2018",
"description": "Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.",
"url": "https://www.justice.gov/file/1080281/download"
},
{
"source_name": "Ars Technica GRU indictment Jul 2018",
"description": "Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.",
"url": "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/"
},
{
"source_name": "Crowdstrike DNC June 2016",
"description": "Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.",
"url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
},
{
"source_name": "FireEye APT28",
"description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.",
"url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf"
},
{
"source_name": "SecureWorks TG-4127",
"description": "SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.",
"url": "https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign"
},
{
"source_name": "FireEye APT28 January 2017",
"description": "FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.",
"url": "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
},
{
"source_name": "GRIZZLY STEPPE JAR",
"description": "Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE \u2013 Russian Malicious Cyber Activity. Retrieved January 11, 2017.",
"url": "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf"
},
{
"source_name": "Sofacy DealersChoice",
"description": "Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/"
},
{
"source_name": "Palo Alto Sofacy 06-2018",
"description": "Lee, B., Falcone, R. (2018, June 06). Sofacy Group\u2019s Parallel Attacks. Retrieved June 18, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/"
},
{
"source_name": "Symantec APT28 Oct 2018",
"description": "Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.",
"url": "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government"
},
{
"source_name": "ESET Zebrocy May 2019",
"description": "ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.",
"url": "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/"
},
{
"source_name": "Kaspersky Sofacy",
"description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.",
"url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/"
},
{
"source_name": "ESET Sednit Part 3",
"description": "ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.",
"url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf"
},
{
"source_name": "Talos Seduploader Oct 2017",
"description": "Mercer, W., et al. (2017, October 22). \"Cyber Conflict\" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.",
"url": "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html"
},
{
"source_name": "Securelist Sofacy Feb 2018",
"description": "Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.",
"url": "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/"
},
{
"source_name": "Accenture SNAKEMACKEREL Nov 2018",
"description": "Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.",
"url": "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50"
}
],
"x_mitre_version": "2.1",
"modified": "2019-07-27T00:09:33.254Z",
"type": "intrusion-set",
"created": "2017-05-31T21:31:48.664Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"name": "APT28",
"x_mitre_contributors": [
"Emily Ratliff, IBM",
"Richard Gold, Digital Shadows"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"name": "Dark Caracal",
"description": "[Dark Caracal](https://attack.mitre.org/groups/G0070) is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. (Citation: Lookout Dark Caracal Jan 2018)",
"type": "intrusion-set",
"aliases": [
"Dark Caracal"
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12",
"external_references": [
{
"external_id": "G0070",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/groups/G0070"
},
{
"source_name": "Dark Caracal",
"description": "(Citation: Lookout Dark Caracal Jan 2018)"
},
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"modified": "2019-07-16T15:35:20.554Z",
"x_mitre_version": "1.1",
"created": "2018-10-17T00:14:20.652Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.",
"x_mitre_old_attack_id": "MOB-M1013",
"type": "course-of-action",
"name": "Application Developer Guidance",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1",
"external_references": [
{
"external_id": "M1013",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/M1013"
}
],
"modified": "2019-07-19T17:44:53.176Z",
"x_mitre_version": "1.0",
"created": "2017-10-25T14:48:53.732Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.\n\nEnterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.\n\nApplication Vetting is not a complete mitigation. Techniques such as [Detect App Analysis Environment](https://attack.mitre.org/techniques/T1440) exist that can enable adversaries to bypass vetting.",
"x_mitre_old_attack_id": "MOB-M1005",
"type": "course-of-action",
"name": "Application Vetting",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"external_references": [
{
"external_id": "M1005",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/M1005"
}
],
"modified": "2019-07-19T17:44:53.176Z",
"x_mitre_version": "1.0",
"created": "2017-10-25T14:48:51.942Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.",
"x_mitre_old_attack_id": "MOB-M1002",
"type": "course-of-action",
"name": "Attestation",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c",
"external_references": [
{
"external_id": "M1002",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/M1002"
}
],
"modified": "2019-07-19T17:44:53.176Z",
"x_mitre_version": "1.0",
"created": "2017-10-25T14:48:52.933Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Warn device users not to accept requests to grant Device Administrator access to applications without good reason.\n\nAdditionally, application vetting should include a check on whether the application requests Device Administrator access. Applications that do request Device Administrator access should be carefully scrutinized and only allowed to be used if a valid reason exists.",
"x_mitre_old_attack_id": "MOB-M1007",
"type": "course-of-action",
"name": "Caution with Device Administrator Access",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9",
"external_references": [
{
"external_id": "M1007",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/M1007"
}
],
"modified": "2019-07-19T17:44:53.176Z",
"x_mitre_version": "1.0",
"created": "2017-10-25T14:48:51.365Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.",
"x_mitre_old_attack_id": "MOB-M1010",
"type": "course-of-action",
"name": "Deploy Compromised Device Detection Method",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433",
"external_references": [
{
"external_id": "M1010",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/M1010"
}
],
"modified": "2019-07-19T17:44:53.176Z",
"x_mitre_version": "1.0",
"created": "2017-10-25T14:48:52.601Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption.\n\niOS's App Transport Security feature can be used to help ensure that all application network traffic is appropriately protected. Apple intends to mandate use of App Transport Security (Citation: TechCrunch-ATS) for all apps in the Apple App Store unless appropriate justification is given.\n\nAndroid's Network Security Configuration feature similarly can be used by app developers to help ensure that all of their application network traffic is appropriately protected (Citation: Android-NetworkSecurityConfig).\n\nUse of Virtual Private Network (VPN) tunnels, e.g. using the IPsec protocol, can help mitigate some types of network attacks as well.",
"x_mitre_old_attack_id": "MOB-M1009",
"type": "course-of-action",
"name": "Encrypt Network Traffic",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"external_references": [
{
"external_id": "M1009",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/M1009"
},
{
"source_name": "TechCrunch-ATS",
"description": "Kate Conger. (2016, June 14). Apple will require HTTPS connections for iOS apps by the end of 2016. Retrieved December 19, 2016.",
"url": "https://techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-apps-by-the-end-of-2016/"
},
{
"source_name": "Android-NetworkSecurityConfig",
"description": "Google. (n.d.). Network Security Configuration. Retrieved December 19, 2016.",
"url": "https://developer.android.com/training/articles/security-config.html"
}
],
"modified": "2019-07-19T17:44:53.176Z",
"x_mitre_version": "1.0",
"created": "2017-10-25T14:48:50.769Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior.",
"x_mitre_old_attack_id": "MOB-M1012",
"type": "course-of-action",
"name": "Enterprise Policy",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"external_references": [
{
"external_id": "M1012",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/M1012"
}
],
"modified": "2019-07-19T17:44:53.176Z",
"x_mitre_version": "1.0",
"created": "2017-10-25T14:48:53.318Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "In order to mitigate Signaling System 7 (SS7) exploitation, the Communications, Security, Reliability, and Interoperability Council (CSRIC) describes filtering interconnections between network operators to block inappropriate requests (Citation: CSRIC5-WG10-FinalReport).",
"x_mitre_old_attack_id": "MOB-M1014",
"type": "course-of-action",
"name": "Interconnection Filtering",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124",
"external_references": [
{
"external_id": "M1014",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/M1014"
},
{
"source_name": "CSRIC5-WG10-FinalReport",
"description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.",
"url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
}
],
"modified": "2019-07-19T17:44:53.176Z",
"x_mitre_version": "1.0",
"created": "2017-10-25T14:48:50.181Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "On devices that provide the capability to unlock the bootloader (hence allowing any operating system code to be flashed onto the device), perform periodic checks to ensure that the bootloader is locked.",
"x_mitre_old_attack_id": "MOB-M1003",
"type": "course-of-action",
"name": "Lock Bootloader",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58",
"external_references": [
{
"external_id": "M1003",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/M1003"
}
],
"modified": "2019-07-19T17:44:53.176Z",
"x_mitre_version": "1.0",
"created": "2017-10-25T14:48:49.554Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Install security updates in response to discovered vulnerabilities.\n\nPurchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.\n\nDecommission devices that will no longer receive security updates.\n\nLimit or block access to enterprise resources from devices that have not installed recent security updates.\n\nOn Android devices, access can be controlled based on each device's security patch level. On iOS devices, access can be controlled based on the iOS version.",
"x_mitre_old_attack_id": "MOB-M1001",
"type": "course-of-action",
"name": "Security Updates",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"external_references": [
{
"external_id": "M1001",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/M1001"
}
],
"modified": "2019-07-19T17:44:53.176Z",
"x_mitre_version": "1.0",
"created": "2017-10-25T14:48:50.493Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Ensure that Android devices being used include and enable the Verified Boot capability, which cryptographically ensures the integrity of the system partition.",
"x_mitre_old_attack_id": "MOB-M1004",
"type": "course-of-action",
"name": "System Partition Integrity",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321",
"external_references": [
{
"external_id": "M1004",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/M1004"
}
],
"modified": "2019-07-19T17:44:53.176Z",
"x_mitre_version": "1.0",
"created": "2017-10-25T14:48:52.270Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Application developers should use device-provided credential storage mechanisms such as Android's KeyStore or iOS's KeyChain. These can prevent credentials from being exposed to an adversary.",
"x_mitre_old_attack_id": "MOB-M1008",
"type": "course-of-action",
"name": "Use Device-Provided Credential Storage",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "course-of-action--d2a199d2-dfea-4d0c-987d-6195ed17be9c",
"external_references": [
{
"external_id": "M1008",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/M1008"
}
],
"modified": "2019-07-19T17:44:53.176Z",
"x_mitre_version": "1.0",
"created": "2017-10-25T14:48:51.053Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.",
"x_mitre_old_attack_id": "MOB-M1006",
"type": "course-of-action",
"name": "Use Recent OS Version",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"external_references": [
{
"external_id": "M1006",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/M1006"
}
],
"modified": "2019-07-19T17:44:53.176Z",
"x_mitre_version": "1.0",
"created": "2017-10-25T14:48:51.657Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.",
"x_mitre_old_attack_id": "MOB-M1011",
"type": "course-of-action",
"name": "User Guidance",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"external_references": [
{
"external_id": "M1011",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/mitigations/M1011"
}
],
"modified": "2019-07-19T17:44:53.176Z",
"x_mitre_version": "1.0",
"created": "2017-10-25T14:48:49.838Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) is Android malware that is unique because it uses encrypted content within a blog site for command and control. (Citation: TrendMicro-Anserver)",
"x_mitre_old_attack_id": "MOB-S0026",
"id": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8",
"external_references": [
{
"external_id": "S0310",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0310"
},
{
"source_name": "ANDROIDOS_ANSERVER.A",
"description": "(Citation: TrendMicro-Anserver)"
},
{
"source_name": "TrendMicro-Anserver",
"description": "Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/"
}
],
"x_mitre_version": "1.2",
"x_mitre_platforms": [
"Android"
],
"modified": "2019-03-11T15:13:40.243Z",
"type": "malware",
"created": "2017-10-25T14:48:47.965Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"name": "ANDROIDOS_ANSERVER.A",
"x_mitre_aliases": [
"ANDROIDOS_ANSERVER.A"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Adups](https://attack.mitre.org/software/S0309) is software that was pre-installed onto Android devices, including those made by BLU Products. The software was reportedly designed to help a Chinese phone manufacturer monitor user behavior, transferring sensitive data to a Chinese server. (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)",
"x_mitre_old_attack_id": "MOB-S0025",
"id": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
"external_references": [
{
"external_id": "S0309",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0309"
},
{
"source_name": "Adups",
"description": "(Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)"
},
{
"source_name": "NYTimes-BackDoor",
"description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.",
"url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"
},
{
"source_name": "BankInfoSecurity-BackDoor",
"description": "Jeremy Kirk. (2016, November 16). Why Did Chinese Spyware Linger in U.S. Phones?. Retrieved February 6, 2017.",
"url": "http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:47.038Z",
"x_mitre_platforms": [
"Android"
],
"name": "Adups",
"x_mitre_aliases": [
"Adups"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Allwinner](https://attack.mitre.org/software/S0319) is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) for use on these devices reportedly contained a backdoor. (Citation: HackerNews-Allwinner)",
"x_mitre_old_attack_id": "MOB-S0035",
"id": "malware--08784a9d-09e9-4dce-a839-9612398214e8",
"external_references": [
{
"external_id": "S0319",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0319"
},
{
"source_name": "Allwinner",
"description": "(Citation: HackerNews-Allwinner)"
},
{
"source_name": "HackerNews-Allwinner",
"description": "Mohit Kumar. (2016, May 11). Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker. Retrieved September 18, 2018.",
"url": "https://thehackernews.com/2016/05/android-kernal-exploit.html"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_platforms": [
"Android"
],
"name": "Allwinner",
"x_mitre_aliases": [
"Allwinner"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[AndroRAT](https://attack.mitre.org/software/S0292) is malware that allows a third party to control the device and collect information. (Citation: Lookout-EnterpriseApps)",
"x_mitre_old_attack_id": "MOB-S0008",
"id": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
"external_references": [
{
"external_id": "S0292",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0292"
},
{
"source_name": "AndroRAT",
"description": "(Citation: Lookout-EnterpriseApps)"
},
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:47.363Z",
"x_mitre_platforms": [
"Android"
],
"name": "AndroRAT",
"x_mitre_aliases": [
"AndroRAT"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Android Overlay Malware](https://attack.mitre.org/software/S0296) is malware that was used in a 2016 campaign targeting European countries. The malware attempted to trick users into providing banking credentials. (Citation: FireEye-AndroidOverlay)",
"x_mitre_old_attack_id": "MOB-S0012",
"id": "malware--b6d3657a-2d6a-400f-8b7e-4d60391aa1f7",
"external_references": [
{
"external_id": "S0296",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0296"
},
{
"source_name": "Android Overlay Malware",
"description": "(Citation: FireEye-AndroidOverlay)"
},
{
"source_name": "FireEye-AndroidOverlay",
"description": "Wu Zhou et al. (2016, June 28). THE LATEST ANDROID OVERLAY MALWARE SPREADING VIA SMS PHISHING IN EUROPE. Retrieved December 21, 2016.",
"url": "https://www.fireeye.com/blog/threat-research/2016/06/latest-android-overlay-malware-spreading-in-europe.html"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:39.945Z",
"x_mitre_platforms": [
"Android"
],
"name": "Android Overlay Malware",
"x_mitre_aliases": [
"Android Overlay Malware"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) is Android malware that was delivered to activist groups via a spearphishing email with an attachment. (Citation: Kaspersky-WUC)",
"x_mitre_old_attack_id": "MOB-S0020",
"id": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"external_references": [
{
"external_id": "S0304",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0304"
},
{
"source_name": "Android/Chuli.A",
"description": "(Citation: Kaspersky-WUC)"
},
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:45.482Z",
"x_mitre_platforms": [
"Android"
],
"name": "Android/Chuli.A",
"x_mitre_aliases": [
"Android/Chuli.A"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[BrainTest](https://attack.mitre.org/software/S0293) is a family of Android malware. (Citation: CheckPoint-BrainTest) (Citation: Lookout-BrainTest)",
"x_mitre_old_attack_id": "MOB-S0009",
"id": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
"external_references": [
{
"external_id": "S0293",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0293"
},
{
"source_name": "BrainTest",
"description": "(Citation: CheckPoint-BrainTest) (Citation: Lookout-BrainTest)"
},
{
"source_name": "CheckPoint-BrainTest",
"description": "Andrey Polkovnichenko and Alon Boxiner. (2015, September 21). BrainTest \u2013 A New Level of Sophistication in Mobile Malware. Retrieved December 21, 2016.",
"url": "http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/"
},
{
"source_name": "Lookout-BrainTest",
"description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:47.674Z",
"x_mitre_platforms": [
"Android"
],
"name": "BrainTest",
"x_mitre_aliases": [
"BrainTest"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Charger](https://attack.mitre.org/software/S0323) is Android malware that steals steals contacts and SMS messages from the user's device. It can also lock the device and demand ransom payment if it receives admin permissions. (Citation: CheckPoint-Charger)",
"x_mitre_old_attack_id": "MOB-S0039",
"id": "malware--d1c600f8-0fb6-4367-921b-85b71947d950",
"external_references": [
{
"external_id": "S0323",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0323"
},
{
"source_name": "Charger",
"description": "(Citation: CheckPoint-Charger)"
},
{
"source_name": "CheckPoint-Charger",
"description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.",
"url": "http://blog.checkpoint.com/2017/01/24/charger-malware/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:39.631Z",
"x_mitre_platforms": [
"Android"
],
"name": "Charger",
"x_mitre_aliases": [
"Charger"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Dendroid](https://attack.mitre.org/software/S0301) is an Android malware family. (Citation: Lookout-Dendroid)",
"x_mitre_old_attack_id": "MOB-S0017",
"id": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
"external_references": [
{
"external_id": "S0301",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0301"
},
{
"source_name": "Dendroid",
"description": "(Citation: Lookout-Dendroid)"
},
{
"source_name": "Lookout-Dendroid",
"description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.",
"url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:37.438Z",
"x_mitre_platforms": [
"Android"
],
"name": "Dendroid",
"x_mitre_aliases": [
"Dendroid"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[DressCode](https://attack.mitre.org/software/S0300) is an Android malware family. (Citation: TrendMicro-DressCode)",
"x_mitre_old_attack_id": "MOB-S0016",
"id": "malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca",
"external_references": [
{
"external_id": "S0300",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0300"
},
{
"source_name": "DressCode",
"description": "(Citation: TrendMicro-DressCode)"
},
{
"source_name": "TrendMicro-DressCode",
"description": "Echo Duan. (2016, September 29). DressCode and its Potential Impact for Enterprises. Retrieved December 22, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:37.856Z",
"x_mitre_platforms": [
"Android"
],
"name": "DressCode",
"x_mitre_aliases": [
"DressCode"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[DroidJack](https://attack.mitre.org/software/S0320) is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. (Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)",
"x_mitre_old_attack_id": "MOB-S0036",
"id": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
"external_references": [
{
"external_id": "S0320",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0320"
},
{
"source_name": "DroidJack",
"description": "(Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)"
},
{
"source_name": "Zscaler-SuperMarioRun",
"description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.",
"url": "https://www.zscaler.com/blogs/research/super-mario-run-malware-2-\u2013-droidjack-rat"
},
{
"source_name": "Proofpoint-Droidjack",
"description": "Proofpoint. (2016, July 7). DroidJack Uses Side-Load\u2026It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017.",
"url": "https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:40.571Z",
"x_mitre_platforms": [
"Android"
],
"name": "DroidJack",
"x_mitre_aliases": [
"DroidJack"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[DualToy](https://attack.mitre.org/software/S0315) is Windows malware that installs malicious applications onto Android and iOS devices connected over USB. (Citation: PaloAlto-DualToy)",
"x_mitre_old_attack_id": "MOB-S0031",
"id": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878",
"external_references": [
{
"external_id": "S0315",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0315"
},
{
"source_name": "DualToy",
"description": "(Citation: PaloAlto-DualToy)"
},
{
"source_name": "PaloAlto-DualToy",
"description": "Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:41.721Z",
"x_mitre_platforms": [
"Android",
"iOS"
],
"name": "DualToy",
"x_mitre_aliases": [
"DualToy"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[FinFisher](https://attack.mitre.org/software/S0182) is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including [Wingbird](https://attack.mitre.org/software/S0176). (Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017) (Citation: Microsoft FinFisher March 2018)",
"id": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858",
"external_references": [
{
"external_id": "S0182",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0182"
},
{
"source_name": "FinFisher",
"description": "(Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017)"
},
{
"source_name": "FinSpy",
"description": "(Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017)"
},
{
"source_name": "FinFisher Citation",
"description": "FinFisher. (n.d.). Retrieved December 20, 2017.",
"url": "http://www.finfisher.com/FinFisher/index.html"
},
{
"source_name": "Microsoft SIR Vol 21",
"description": "Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.",
"url": "http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf"
},
{
"source_name": "FireEye FinSpy Sept 2017",
"description": "Jiang, G., et al. (2017, September 12). FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY. Retrieved February 15, 2018.",
"url": "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html"
},
{
"source_name": "Securelist BlackOasis Oct 2017",
"description": "Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.",
"url": "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/"
},
{
"source_name": "Microsoft FinFisher March 2018",
"description": "Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher\u2019s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.",
"url": "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/"
}
],
"x_mitre_version": "1.2",
"x_mitre_platforms": [
"Windows",
"Android"
],
"modified": "2019-07-14T21:44:43.946Z",
"type": "malware",
"created": "2018-01-16T16:13:52.465Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"name": "FinFisher",
"x_mitre_aliases": [
"FinFisher",
"FinSpy"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Gooligan](https://attack.mitre.org/software/S0290) is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. [Gooligan](https://attack.mitre.org/software/S0290) has been described as part of the Ghost Push Android malware family. (Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)",
"x_mitre_old_attack_id": "MOB-S0006",
"id": "malware--20d56cd6-8dff-4871-9889-d32d254816de",
"external_references": [
{
"external_id": "S0290",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0290"
},
{
"source_name": "Gooligan",
"description": "(Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)"
},
{
"source_name": "Ghost Push",
"description": "Gooligan has been described as being part of the Ghost Push Android malware family. (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)"
},
{
"source_name": "Gooligan Citation",
"description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.",
"url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/"
},
{
"source_name": "Ludwig-GhostPush",
"description": "Adrian Ludwig. (2016, November 29). The fight against Ghost Push continues. Retrieved December 12, 2016.",
"url": "https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi"
},
{
"source_name": "Lookout-Gooligan",
"description": "Lookout. (2016, December 1). Ghost Push and Gooligan: One and the same. Retrieved December 12, 2016.",
"url": "https://blog.lookout.com/blog/2016/12/01/ghost-push-gooligan/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:43.242Z",
"x_mitre_platforms": [
"Android"
],
"name": "Gooligan",
"x_mitre_aliases": [
"Gooligan",
"Ghost Push"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[HummingBad](https://attack.mitre.org/software/S0322) is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android. (Citation: ArsTechnica-HummingBad)",
"x_mitre_old_attack_id": "MOB-S0038",
"id": "malware--c8770c81-c29f-40d2-a140-38544206b2b4",
"external_references": [
{
"external_id": "S0322",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0322"
},
{
"source_name": "HummingBad",
"description": "(Citation: ArsTechnica-HummingBad)"
},
{
"source_name": "ArsTechnica-HummingBad",
"description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.",
"url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:42.948Z",
"x_mitre_platforms": [
"Android"
],
"name": "HummingBad",
"x_mitre_aliases": [
"HummingBad"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[HummingWhale](https://attack.mitre.org/software/S0321) is an Android malware family that performs ad fraud. (Citation: ArsTechnica-HummingWhale)",
"x_mitre_old_attack_id": "MOB-S0037",
"id": "malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f",
"external_references": [
{
"external_id": "S0321",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0321"
},
{
"source_name": "HummingWhale",
"description": "(Citation: ArsTechnica-HummingWhale)"
},
{
"source_name": "ArsTechnica-HummingWhale",
"description": "Dan Goodin. (2017, January 23). Virulent Android malware returns, gets >2 million downloads on Google Play. Retrieved January 24, 2017.",
"url": "http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:40.259Z",
"x_mitre_platforms": [
"Android"
],
"name": "HummingWhale",
"x_mitre_aliases": [
"HummingWhale"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Judy](https://attack.mitre.org/software/S0325) is auto-clicking adware that was distributed through multiple apps in the Google Play Store. (Citation: CheckPoint-Judy)",
"x_mitre_old_attack_id": "MOB-S0041",
"id": "malware--172444ab-97fc-4d94-b142-179452bfb760",
"external_references": [
{
"external_id": "S0325",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0325"
},
{
"source_name": "Judy",
"description": "(Citation: CheckPoint-Judy)"
},
{
"source_name": "CheckPoint-Judy",
"description": "CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018.",
"url": "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_platforms": [
"Android"
],
"name": "Judy",
"x_mitre_aliases": [
"Judy"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[KeyRaider](https://attack.mitre.org/software/S0288) is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality. (Citation: Xiao-KeyRaider)",
"x_mitre_old_attack_id": "MOB-S0004",
"id": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50",
"external_references": [
{
"external_id": "S0288",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0288"
},
{
"source_name": "KeyRaider",
"description": "(Citation: Xiao-KeyRaider)"
},
{
"source_name": "Xiao-KeyRaider",
"description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:43.815Z",
"x_mitre_platforms": [
"iOS"
],
"name": "KeyRaider",
"x_mitre_aliases": [
"KeyRaider"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Marcher](https://attack.mitre.org/software/S0317) is Android malware that is used for financial fraud. (Citation: Proofpoint-Marcher)",
"x_mitre_old_attack_id": "MOB-S0033",
"id": "malware--f9854ba6-989d-43bf-828b-7240b8a65291",
"external_references": [
{
"external_id": "S0317",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0317"
},
{
"source_name": "Marcher",
"description": "(Citation: Proofpoint-Marcher)"
},
{
"source_name": "Proofpoint-Marcher",
"description": "Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018.",
"url": "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_platforms": [
"Android"
],
"name": "Marcher",
"x_mitre_aliases": [
"Marcher"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[MazarBOT](https://attack.mitre.org/software/S0303) is Android malware that was distributed via SMS in Denmark in 2016. (Citation: Tripwire-MazarBOT)",
"x_mitre_old_attack_id": "MOB-S0019",
"id": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9",
"external_references": [
{
"external_id": "S0303",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0303"
},
{
"source_name": "MazarBOT",
"description": "(Citation: Tripwire-MazarBOT)"
},
{
"source_name": "Tripwire-MazarBOT",
"description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.",
"url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:40.875Z",
"x_mitre_platforms": [
"Android"
],
"name": "MazarBOT",
"x_mitre_aliases": [
"MazarBOT"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[NotCompatible](https://attack.mitre.org/software/S0299) is an Android malware family that was used between at least 2014 and 2016. It has multiple variants that have become more sophisticated over time. (Citation: Lookout-NotCompatible)",
"x_mitre_old_attack_id": "MOB-S0015",
"id": "malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe",
"external_references": [
{
"external_id": "S0299",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0299"
},
{
"source_name": "NotCompatible",
"description": "(Citation: Lookout-NotCompatible)"
},
{
"source_name": "Lookout-NotCompatible",
"description": "Tim Strazzere. (2014, November 19). The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks. Retrieved December 22, 2016.",
"url": "https://blog.lookout.com/blog/2014/11/19/notcompatible/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:36.707Z",
"x_mitre_platforms": [
"Android"
],
"name": "NotCompatible",
"x_mitre_aliases": [
"NotCompatible"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "OBAD is an Android malware family. (Citation: TrendMicro-Obad)",
"x_mitre_old_attack_id": "MOB-S0002",
"id": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde",
"external_references": [
{
"external_id": "S0286",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0286"
},
{
"source_name": "OBAD",
"description": "(Citation: TrendMicro-Obad)"
},
{
"source_name": "TrendMicro-Obad",
"description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:44.540Z",
"x_mitre_platforms": [
"Android"
],
"name": "OBAD",
"x_mitre_aliases": [
"OBAD"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[OldBoot](https://attack.mitre.org/software/S0285) is an Android malware family. (Citation: HackerNews-OldBoot)",
"x_mitre_old_attack_id": "MOB-S0001",
"id": "malware--2074b2ad-612e-4758-adce-7901c1b49bbc",
"external_references": [
{
"external_id": "S0285",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0285"
},
{
"source_name": "OldBoot",
"description": "(Citation: HackerNews-OldBoot)"
},
{
"source_name": "HackerNews-OldBoot",
"description": "Sudhir K Bansal. (2014, January 28). First widely distributed Android bootkit Malware infects more than 350,000 Devices. Retrieved December 21, 2016.",
"url": "http://thehackernews.com/2014/01/first-widely-distributed-android.html"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:45.155Z",
"x_mitre_platforms": [
"Android"
],
"name": "OldBoot",
"x_mitre_aliases": [
"OldBoot"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[PJApps](https://attack.mitre.org/software/S0291) is an Android malware family. (Citation: Lookout-EnterpriseApps)",
"x_mitre_old_attack_id": "MOB-S0007",
"id": "malware--c709da93-20c3-4d17-ab68-48cba76b2137",
"external_references": [
{
"external_id": "S0291",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0291"
},
{
"source_name": "PJApps",
"description": "(Citation: Lookout-EnterpriseApps)"
},
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:43.527Z",
"x_mitre_platforms": [
"Android"
],
"name": "PJApps",
"x_mitre_aliases": [
"PJApps"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pallas](https://attack.mitre.org/software/S0399) is mobile surveillanceware that was custom-developed by [Dark Caracal](https://attack.mitre.org/groups/G0070).(Citation: Lookout Dark Caracal Jan 2018)",
"id": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"external_references": [
{
"external_id": "S0399",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0399"
},
{
"source_name": "Pallas",
"description": "(Citation: Lookout Dark Caracal Jan 2018)"
},
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"x_mitre_version": "1.0",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-07-14T21:33:23.330Z",
"type": "malware",
"created": "2019-07-10T15:35:43.217Z",
"x_mitre_platforms": [
"Android"
],
"name": "Pallas",
"x_mitre_aliases": [
"Pallas"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) is the Android version of malware that has reportedly been linked to the NSO Group. (Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor) The iOS version is tracked separately under [Pegasus for iOS](https://attack.mitre.org/software/S0289).",
"x_mitre_old_attack_id": "MOB-S0032",
"id": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"external_references": [
{
"external_id": "S0316",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0316"
},
{
"source_name": "Pegasus for Android",
"description": "(Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor)"
},
{
"source_name": "Chrysaor",
"description": "(Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor)"
},
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
},
{
"source_name": "Google-Chrysaor",
"description": "Rich Cannings et al.. (2017, April 3). An investigation of Chrysaor Malware on Android. Retrieved April 16, 2017.",
"url": "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:41.202Z",
"x_mitre_platforms": [
"Android"
],
"name": "Pegasus for Android",
"x_mitre_aliases": [
"Pegasus for Android",
"Chrysaor"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims. (Citation: Lookout-Pegasus) (Citation: PegasusCitizenLab) The Android version is tracked separately under [Pegasus for Android](https://attack.mitre.org/software/S0316).",
"x_mitre_old_attack_id": "MOB-S0005",
"id": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"external_references": [
{
"external_id": "S0289",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0289"
},
{
"source_name": "Pegasus for iOS",
"description": "(Citation: Lookout-Pegasus) (Citation: PegasusCitizenLab)"
},
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
},
{
"source_name": "PegasusCitizenLab",
"description": "Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group\u2019s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.",
"url": "https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:44.238Z",
"x_mitre_platforms": [
"iOS"
],
"name": "Pegasus for iOS",
"x_mitre_aliases": [
"Pegasus for iOS"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RCSAndroid](https://attack.mitre.org/software/S0295) is Android malware. (Citation: TrendMicro-RCSAndroid)",
"x_mitre_old_attack_id": "MOB-S0011",
"id": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"external_references": [
{
"external_id": "S0295",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0295"
},
{
"source_name": "RCSAndroid",
"description": "(Citation: TrendMicro-RCSAndroid)"
},
{
"source_name": "TrendMicro-RCSAndroid",
"description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:38.274Z",
"x_mitre_platforms": [
"Android"
],
"name": "RCSAndroid",
"x_mitre_aliases": [
"RCSAndroid"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RedDrop](https://attack.mitre.org/software/S0326) is an Android malware family that exfiltrates sensitive data from devices. (Citation: Wandera-RedDrop)",
"x_mitre_old_attack_id": "MOB-S0042",
"id": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
"external_references": [
{
"external_id": "S0326",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0326"
},
{
"source_name": "RedDrop",
"description": "(Citation: Wandera-RedDrop)"
},
{
"source_name": "Wandera-RedDrop",
"description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.",
"url": "https://www.wandera.com/reddrop-malware/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_platforms": [
"Android"
],
"name": "RedDrop",
"x_mitre_aliases": [
"RedDrop"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RuMMS](https://attack.mitre.org/software/S0313) is an Android malware family. (Citation: FireEye-RuMMS)",
"x_mitre_old_attack_id": "MOB-S0029",
"id": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
"external_references": [
{
"external_id": "S0313",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0313"
},
{
"source_name": "RuMMS",
"description": "(Citation: FireEye-RuMMS)"
},
{
"source_name": "FireEye-RuMMS",
"description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:48.917Z",
"x_mitre_platforms": [
"Android"
],
"name": "RuMMS",
"x_mitre_aliases": [
"RuMMS"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is an auto-rooting adware family of malware for Android. The family is very similar to the other Android families known as Shedun, Shuanet, Kemoge, though it is not believed all the families were created by the same group. (Citation: Lookout-Adware)",
"x_mitre_old_attack_id": "MOB-S0010",
"id": "malware--c80a6bef-b3ce-44d0-b113-946e93124898",
"external_references": [
{
"external_id": "S0294",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0294"
},
{
"source_name": "ShiftyBug",
"description": "(Citation: Lookout-Adware)"
},
{
"source_name": "Lookout-Adware",
"description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:38.690Z",
"x_mitre_platforms": [
"Android"
],
"name": "ShiftyBug",
"x_mitre_aliases": [
"ShiftyBug"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Skygofree](https://attack.mitre.org/software/S0327) is Android spyware that is believed to have been developed in 2014 and used through at least 2017. (Citation: Kaspersky-Skygofree)",
"x_mitre_old_attack_id": "MOB-S0043",
"id": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
"external_references": [
{
"external_id": "S0327",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0327"
},
{
"source_name": "Skygofree",
"description": "(Citation: Kaspersky-Skygofree)"
},
{
"source_name": "Kaspersky-Skygofree",
"description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.",
"url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_platforms": [
"Android"
],
"name": "Skygofree",
"x_mitre_aliases": [
"Skygofree"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) is Android malware that exfiltrates sensitive data from Android devices. (Citation: PaloAlto-SpyDealer)",
"x_mitre_old_attack_id": "MOB-S0040",
"id": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"external_references": [
{
"external_id": "S0324",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0324"
},
{
"source_name": "SpyDealer",
"description": "(Citation: PaloAlto-SpyDealer)"
},
{
"source_name": "PaloAlto-SpyDealer",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_platforms": [
"Android"
],
"name": "SpyDealer",
"x_mitre_aliases": [
"SpyDealer"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) (Remote Access Trojan) is a family of malicious Android apps. The [SpyNote RAT](https://attack.mitre.org/software/S0305) builder tool can be used to develop malicious apps with the malware's functionality. (Citation: Zscaler-SpyNote)",
"x_mitre_old_attack_id": "MOB-S0021",
"id": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"external_references": [
{
"external_id": "S0305",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0305"
},
{
"source_name": "SpyNote RAT",
"description": "(Citation: Zscaler-SpyNote)"
},
{
"source_name": "Zscaler-SpyNote",
"description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.",
"url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:45.794Z",
"x_mitre_platforms": [
"Android"
],
"name": "SpyNote RAT",
"x_mitre_aliases": [
"SpyNote RAT"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as [Tangelo](https://attack.mitre.org/software/S0329) is believed to be from the same developer. (Citation: Lookout-StealthMango)",
"x_mitre_old_attack_id": "MOB-S0044",
"id": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"external_references": [
{
"external_id": "S0328",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0328"
},
{
"source_name": "Stealth Mango",
"description": "(Citation: Lookout-StealthMango)"
},
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_platforms": [
"Android"
],
"name": "Stealth Mango",
"x_mitre_aliases": [
"Stealth Mango"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Tangelo](https://attack.mitre.org/software/S0329) is iOS malware that is believed to be from the same developers as the [Stealth Mango](https://attack.mitre.org/software/S0328) Android malware. It is not a mobile application, but rather a Debian package that can only run on jailbroken iOS devices. (Citation: Lookout-StealthMango)",
"x_mitre_old_attack_id": "MOB-S0045",
"id": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a",
"external_references": [
{
"external_id": "S0329",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0329"
},
{
"source_name": "Tangelo",
"description": "(Citation: Lookout-StealthMango)"
},
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_platforms": [
"iOS"
],
"name": "Tangelo",
"x_mitre_aliases": [
"Tangelo"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) is Android malware. (Citation: Kaspersky-MobileMalware)",
"x_mitre_old_attack_id": "MOB-S0023",
"id": "malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17",
"external_references": [
{
"external_id": "S0307",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0307"
},
{
"source_name": "Trojan-SMS.AndroidOS.Agent.ao",
"description": "(Citation: Kaspersky-MobileMalware)"
},
{
"source_name": "Kaspersky-MobileMalware",
"description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.",
"url": "https://securelist.com/mobile-malware-evolution-2013/58335/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:46.411Z",
"x_mitre_platforms": [
"Android"
],
"name": "Trojan-SMS.AndroidOS.Agent.ao",
"x_mitre_aliases": [
"Trojan-SMS.AndroidOS.Agent.ao"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) is Android malware. (Citation: Kaspersky-MobileMalware)",
"x_mitre_old_attack_id": "MOB-S0022",
"id": "malware--28e39395-91e7-4f02-b694-5e079c964da9",
"external_references": [
{
"external_id": "S0306",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0306"
},
{
"source_name": "Trojan-SMS.AndroidOS.FakeInst.a",
"description": "(Citation: Kaspersky-MobileMalware)"
},
{
"source_name": "Kaspersky-MobileMalware",
"description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.",
"url": "https://securelist.com/mobile-malware-evolution-2013/58335/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:46.107Z",
"x_mitre_platforms": [
"Android"
],
"name": "Trojan-SMS.AndroidOS.FakeInst.a",
"x_mitre_aliases": [
"Trojan-SMS.AndroidOS.FakeInst.a"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) is Android malware. (Citation: Kaspersky-MobileMalware)",
"x_mitre_old_attack_id": "MOB-S0024",
"id": "malware--d89c132d-7752-4c7f-9372-954a71522985",
"external_references": [
{
"external_id": "S0308",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0308"
},
{
"source_name": "Trojan-SMS.AndroidOS.OpFake.a",
"description": "(Citation: Kaspersky-MobileMalware)"
},
{
"source_name": "Kaspersky-MobileMalware",
"description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.",
"url": "https://securelist.com/mobile-malware-evolution-2013/58335/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:46.734Z",
"x_mitre_platforms": [
"Android"
],
"name": "Trojan-SMS.AndroidOS.OpFake.a",
"x_mitre_aliases": [
"Trojan-SMS.AndroidOS.OpFake.a"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[WireLurker](https://attack.mitre.org/software/S0312) is a family of macOS malware that targets iOS devices connected over USB. (Citation: PaloAlto-WireLurker)",
"x_mitre_old_attack_id": "MOB-S0028",
"id": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb",
"external_references": [
{
"external_id": "S0312",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0312"
},
{
"source_name": "WireLurker",
"description": "(Citation: PaloAlto-WireLurker)"
},
{
"source_name": "PaloAlto-WireLurker",
"description": "Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:37.020Z",
"x_mitre_platforms": [
"iOS"
],
"name": "WireLurker",
"x_mitre_aliases": [
"WireLurker"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. (Citation: CrowdStrike-Android) Is it tracked separately from the [CHOPSTICK](https://attack.mitre.org/software/S0023).",
"x_mitre_old_attack_id": "MOB-S0030",
"id": "malware--56660521-6db4-4e5a-a927-464f22954b7c",
"external_references": [
{
"external_id": "S0314",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0314"
},
{
"source_name": "X-Agent for Android",
"description": "(Citation: CrowdStrike-Android)"
},
{
"source_name": "CrowdStrike-Android",
"description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.",
"url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:42.034Z",
"x_mitre_platforms": [
"Android"
],
"name": "X-Agent for Android",
"x_mitre_aliases": [
"X-Agent for Android"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[XLoader](https://attack.mitre.org/software/S0318) is a malicious Android app that was observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. (Citation: TrendMicro-XLoader)",
"x_mitre_old_attack_id": "MOB-S0034",
"id": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
"external_references": [
{
"external_id": "S0318",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0318"
},
{
"source_name": "XLoader",
"description": "(Citation: TrendMicro-XLoader)"
},
{
"source_name": "TrendMicro-XLoader",
"description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_platforms": [
"Android"
],
"name": "XLoader",
"x_mitre_aliases": [
"XLoader"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[XcodeGhost](https://attack.mitre.org/software/S0297) is iOS malware that infected at least 39 iOS apps in 2015 and potentially affected millions of users. (Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)",
"x_mitre_old_attack_id": "MOB-S0013",
"id": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9",
"external_references": [
{
"external_id": "S0297",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0297"
},
{
"source_name": "XcodeGhost",
"description": "(Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)"
},
{
"source_name": "PaloAlto-XcodeGhost1",
"description": "Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/"
},
{
"source_name": "PaloAlto-XcodeGhost",
"description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:42.661Z",
"x_mitre_platforms": [
"iOS"
],
"name": "XcodeGhost",
"x_mitre_aliases": [
"XcodeGhost"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[YiSpecter](https://attack.mitre.org/software/S0311) iOS malware that affects both jailbroken and non-jailbroken iOS devices. It is also unique because it abuses private APIs in the iOS system to implement functionality. (Citation: PaloAlto-YiSpecter)",
"x_mitre_old_attack_id": "MOB-S0027",
"id": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9",
"external_references": [
{
"external_id": "S0311",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0311"
},
{
"source_name": "YiSpecter",
"description": "(Citation: PaloAlto-YiSpecter)"
},
{
"source_name": "PaloAlto-YiSpecter",
"description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved January 20, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:48.301Z",
"x_mitre_platforms": [
"iOS"
],
"name": "YiSpecter",
"x_mitre_aliases": [
"YiSpecter"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[ZergHelper](https://attack.mitre.org/software/S0287) is iOS riskware that was unique due to its apparent evasion of Apple's App Store review process. No malicious functionality was identified in the app, but it presents security risks. (Citation: Xiao-ZergHelper)",
"x_mitre_old_attack_id": "MOB-S0003",
"id": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0",
"external_references": [
{
"external_id": "S0287",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0287"
},
{
"source_name": "ZergHelper",
"description": "(Citation: Xiao-ZergHelper)"
},
{
"source_name": "Xiao-ZergHelper",
"description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "malware",
"created": "2017-10-25T14:48:44.853Z",
"x_mitre_platforms": [
"iOS"
],
"name": "ZergHelper",
"x_mitre_aliases": [
"ZergHelper"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"type": "marking-definition",
"definition": {
"statement": "Copyright 2017, The MITRE Corporation"
},
"definition_type": "statement",
"created": "2017-06-01T00:00:00Z",
"id": "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
]
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Xbot](https://attack.mitre.org/software/S0298) is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. (Citation: PaloAlto-Xbot)",
"x_mitre_old_attack_id": "MOB-S0014",
"id": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4",
"external_references": [
{
"external_id": "S0298",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0298"
},
{
"source_name": "Xbot",
"description": "(Citation: PaloAlto-Xbot)"
},
{
"source_name": "PaloAlto-Xbot",
"description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
}
],
"x_mitre_version": "1.1",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-12-11T20:40:31.461Z",
"type": "tool",
"created": "2017-10-25T14:48:48.609Z",
"x_mitre_platforms": [
"Android"
],
"name": "Xbot",
"x_mitre_aliases": [
"Xbot"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"external_id": "mobile-attack",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/matrices/mobile"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff021c95b",
"name": "Device Access",
"created": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-17T00:14:20.652Z",
"type": "x-mitre-matrix",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "The MITRE ATT&CK Matrix\u2122 provides a visual representation of the adversarial tactics and techniques described in the ATT&CK model. Tactic categories are listed on the top row, and individual techniques as cells underneath each tactic to denote that technique can be used to accomplish that particular tactic. Techniques can span multiple tactic categories signifying that they can be used for more than one purpose. Below are two ATT&CK Mobile Matrices, one for adversarial tactics and techniques involving device access, and one for adversarial tactics and techniques, and one for network-based effects that can be used by adversaries without device access.",
"tactic_refs": [
"x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6",
"x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54",
"x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8",
"x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df",
"x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10",
"x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1",
"x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f",
"x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e",
"x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba",
"x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981",
"x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"external_references": [
{
"external_id": "mobile-attack",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/matrices/mobile"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd5494fc",
"name": "Network-Based Effects",
"created": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-17T00:14:20.652Z",
"type": "x-mitre-matrix",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "The MITRE ATT&CK Matrix\u2122 provides a visual representation of the adversarial tactics and techniques described in the ATT&CK model. Tactic categories are listed on the top row, and individual techniques as cells underneath each tactic to denote that technique can be used to accomplish that particular tactic. Techniques can span multiple tactic categories signifying that they can be used for more than one purpose. Below are two ATT&CK Mobile Matrices, one for adversarial tactics and techniques involving device access, and one for adversarial tactics and techniques, and one for network-based effects that can be used by adversaries without device access.",
"tactic_refs": [
"x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210",
"x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1453",
"source_name": "mitre-mobile-attack",
"external_id": "T1453"
},
{
"url": "https://www.skycure.com/blog/accessibility-clickjacking/",
"source_name": "Skycure-Accessibility",
"description": "Yair Amit. (2016, March 3). \u201cAccessibility Clickjacking\u201d \u2013 The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T15:07:22.709Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android"
],
"kill_chain_phases": [
{
"phase_name": "collection",
"kill_chain_name": "mitre-mobile-attack"
},
{
"phase_name": "credential-access",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
"x_mitre_old_attack_id": "MOB-T1056",
"name": "Abuse Accessibility Features",
"created": "2017-10-25T14:48:08.613Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "A malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions(Citation: Skycure-Accessibility).",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1401",
"source_name": "mitre-mobile-attack",
"external_id": "T1401"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-22"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T16:56:41.200Z",
"x_mitre_detection": "The device user can view a list of apps with Device Administrator privilege in the device settings.",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android"
],
"kill_chain_phases": [
{
"phase_name": "persistence",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483",
"x_mitre_old_attack_id": "MOB-T1004",
"name": "Abuse Device Administrator Access to Prevent Removal",
"created": "2017-10-25T14:48:29.774Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "A malicious application can request Device Administrator privileges. If the user grants the privileges, the application can take steps to make its removal more difficult.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1445",
"source_name": "mitre-mobile-attack",
"external_id": "T1445"
}
],
"id": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
"x_mitre_old_attack_id": "MOB-T1048",
"name": "Abuse of iOS Enterprise App Signing Key",
"created": "2017-10-25T14:48:16.288Z",
"revoked": true,
"modified": "2018-10-17T01:05:10.701Z",
"type": "attack-pattern",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_version": "1.0"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1435",
"source_name": "mitre-mobile-attack",
"external_id": "T1435"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-13"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access calendar information through the device settings screen, and the user can choose to revoke the permissions.",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "collection",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb",
"x_mitre_old_attack_id": "MOB-T1038",
"name": "Access Calendar Entries",
"created": "2017-10-25T14:48:20.727Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1433",
"source_name": "mitre-mobile-attack",
"external_id": "T1433"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-13"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"x_mitre_detection": "On Android 6.0 and up, the user can view which applications have permission to access call log information through the device settings screen, and the user can choose to revoke the permissions.",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "collection",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"x_mitre_old_attack_id": "MOB-T1036",
"name": "Access Call Log",
"created": "2017-10-25T14:48:11.116Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.\n\nOn iOS, applications do not have access to the call log, so privilege escalation would be required in order to access the data.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1432",
"source_name": "mitre-mobile-attack",
"external_id": "T1432"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-13"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access contact list information through the device settings screen, and the user can choose to revoke the permissions.",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "collection",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"x_mitre_old_attack_id": "MOB-T1035",
"name": "Access Contact List",
"created": "2017-10-25T14:48:11.535Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1413",
"source_name": "mitre-mobile-attack",
"external_id": "T1413"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-3.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-3"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-13"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android"
],
"kill_chain_phases": [
{
"phase_name": "collection",
"kill_chain_name": "mitre-mobile-attack"
},
{
"phase_name": "credential-access",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3",
"x_mitre_old_attack_id": "MOB-T1016",
"name": "Access Sensitive Data in Device Logs",
"created": "2017-10-25T14:48:17.176Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1409",
"source_name": "mitre-mobile-attack",
"external_id": "T1409"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "AUT-0"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "collection",
"kill_chain_name": "mitre-mobile-attack"
},
{
"phase_name": "credential-access",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"x_mitre_old_attack_id": "MOB-T1012",
"name": "Access Sensitive Data or Credentials in Files",
"created": "2017-10-25T14:48:15.402Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "An adversary could attempt to read files that contain sensitive data or credentials (e.g., private keys, passwords, access tokens). This technique requires either escalated privileges or for the targeted app to have stored the data in an insecure manner (e.g., with insecure file permissions or in an insecure location such as an external storage directory).",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1438",
"source_name": "mitre-mobile-attack",
"external_id": "T1438"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-30"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "command-and-control",
"kill_chain_name": "mitre-mobile-attack"
},
{
"phase_name": "exfiltration",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"x_mitre_old_attack_id": "MOB-T1041",
"name": "Alternate Network Mediums",
"created": "2017-10-25T14:48:27.307Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "Adversaries can communicate using cellular networks rather than enterprise Wi-Fi in order to bypass enterprise network monitoring systems. Adversaries may also communicate using other non-Internet Protocol mediums such as SMS, NFC, or Bluetooth to bypass network monitoring systems.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1416",
"source_name": "mitre-mobile-attack",
"external_id": "T1416"
},
{
"url": "https://tools.ietf.org/html/rfc7636",
"source_name": "IETF-PKCE",
"description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T17:05:31.465Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android"
],
"kill_chain_phases": [
{
"phase_name": "credential-access",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58",
"x_mitre_old_attack_id": "MOB-T1019",
"name": "Android Intent Hijacking",
"created": "2017-10-25T14:48:32.008Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "A malicious app can register to receive intents meant for other applications and may then be able to receive sensitive values such as OAuth authorization codes(Citation: IETF-PKCE).",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1402",
"source_name": "mitre-mobile-attack",
"external_id": "T1402"
},
{
"url": "http://ieeexplore.ieee.org/document/6234407",
"source_name": "Zhou",
"description": "Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T14:28:26.995Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android"
],
"kill_chain_phases": [
{
"phase_name": "persistence",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"x_mitre_old_attack_id": "MOB-T1005",
"name": "App Auto-Start at Device Boot",
"created": "2017-10-25T14:48:30.127Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "An Android application can listen for the BOOT_COMPLETED broadcast, ensuring that the app's functionality will be activated every time the device starts up without having to wait for the device user to manually start the app.\n\nAn analysis published in 2012(Citation: Zhou) of1260 Android malware samples belonging to 49 families of malware determined that 29 malware families and 83.3% of the samples listened for BOOT_COMPLETED.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1434",
"source_name": "mitre-mobile-attack",
"external_id": "T1434"
}
],
"id": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2",
"x_mitre_old_attack_id": "MOB-T1037",
"name": "App Delivered via Email Attachment",
"created": "2017-10-25T14:48:10.699Z",
"revoked": true,
"modified": "2018-10-17T01:05:10.699Z",
"type": "attack-pattern",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_version": "1.0"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1431",
"source_name": "mitre-mobile-attack",
"external_id": "T1431"
}
],
"id": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2",
"x_mitre_old_attack_id": "MOB-T1034",
"name": "App Delivered via Web Download",
"created": "2017-10-25T14:48:11.861Z",
"revoked": true,
"modified": "2018-10-17T01:05:10.699Z",
"type": "attack-pattern",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_version": "1.0"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1418",
"source_name": "mitre-mobile-attack",
"external_id": "T1418"
},
{
"url": "https://developer.android.com/reference/android/content/pm/PackageManager.html",
"source_name": "Android-PackageManager",
"description": "Android. (n.d.). PackageManager. Retrieved December 21, 2016."
},
{
"url": "https://andreas-kurtz.de/2014/09/malicious-ios-apps/",
"source_name": "Kurtz-MaliciousiOSApps",
"description": "Andreas Kurtz. (2014, September 18). Malicious iOS Apps. Retrieved December 21, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "defense-evasion",
"kill_chain_name": "mitre-mobile-attack"
},
{
"phase_name": "discovery",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"x_mitre_old_attack_id": "MOB-T1021",
"name": "Application Discovery",
"created": "2017-10-25T14:48:28.067Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "Adversaries may seek to identify all applications installed on the device. One use case for doing so is to identify the presence of endpoint security applications that may increase the adversary's risk of detection. Another use case is to identify the presence of applications that the adversary may wish to target.\n\nOn Android, applications can use methods in the PackageManager class (Citation: Android-PackageManager) to enumerate other apps installed on device, or an entity with shell access can use the pm command line tool.\n\nOn iOS, apps can use private API calls to obtain a list of other apps installed on the device. (Citation: Kurtz-MaliciousiOSApps) However, use of private API calls will likely prevent the application from being distributed through Apple's App Store.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1427",
"source_name": "mitre-mobile-attack",
"external_id": "T1427"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "PHY-2"
},
{
"url": "http://dl.acm.org/citation.cfm?id=1920314",
"source_name": "Wang-ExploitingUSB",
"description": "Z. Wang and A. Stavrou. (2010, December 6-10). Exploiting smart-phone USB connectivity for fun and profit. Retrieved December 22, 2016."
},
{
"url": "http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/",
"source_name": "ArsTechnica-PoisonTap",
"description": "Dan Goodin. (2016, November 16). Meet PoisonTap, the $5 tool that ransacks password-protected computers. Retrieved December 22, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T14:51:19.932Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android"
],
"kill_chain_phases": [
{
"phase_name": "lateral-movement",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--a0464539-e1b7-4455-a355-12495987c300",
"x_mitre_old_attack_id": "MOB-T1030",
"name": "Attack PC via USB Connection",
"created": "2017-10-25T14:48:13.625Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC(Citation: Wang-ExploitingUSB)(Citation: ArsTechnica-PoisonTap) This technique has been demonstrated on Android. We are unaware of any demonstrations on iOS.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1460",
"source_name": "mitre-mobile-attack",
"external_id": "T1460"
}
],
"id": "attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09",
"x_mitre_old_attack_id": "MOB-T1063",
"name": "Biometric Spoofing",
"created": "2017-10-25T14:48:24.069Z",
"revoked": true,
"modified": "2018-10-17T01:05:10.703Z",
"type": "attack-pattern",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_version": "1.0"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1414",
"source_name": "mitre-mobile-attack",
"external_id": "T1414"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-35.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-35"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "collection",
"kill_chain_name": "mitre-mobile-attack"
},
{
"phase_name": "credential-access",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
"x_mitre_old_attack_id": "MOB-T1017",
"name": "Capture Clipboard Data",
"created": "2017-10-25T14:48:19.996Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "A malicious app or other attack vector could capture sensitive data stored in the device clipboard, for example passwords being copy-and-pasted from a password manager app.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1412",
"source_name": "mitre-mobile-attack",
"external_id": "T1412"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "collection",
"kill_chain_name": "mitre-mobile-attack"
},
{
"phase_name": "credential-access",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"x_mitre_old_attack_id": "MOB-T1015",
"name": "Capture SMS Messages",
"created": "2017-10-25T14:48:15.920Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.\n\nOn Android, a malicious application must request and obtain permission (either at app install time or run time) in order to receive SMS messages. Alternatively, a malicious application could attempt to perform an operating system privilege escalation attack to bypass the permission requirement.\n\nOn iOS, applications cannot access SMS messages in normal operation, so an adversary would need to attempt to perform an operating system privilege escalation attack to potentially be able to access SMS messages.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1436",
"source_name": "mitre-mobile-attack",
"external_id": "T1436"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "command-and-control",
"kill_chain_name": "mitre-mobile-attack"
},
{
"phase_name": "exfiltration",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad",
"x_mitre_old_attack_id": "MOB-T1039",
"name": "Commonly Used Port",
"created": "2017-10-25T14:48:16.650Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as\n\n* TCP:80 (HTTP)\n* TCP:443 (HTTPS)\n* TCP:25 (SMTP)\n* TCP/UDP:53 (DNS)\n\nThey may use the protocol associated with the port or a completely different protocol.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1475",
"source_name": "mitre-mobile-attack",
"external_id": "T1475"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-4.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "ECO-4"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "ECO-16"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-17.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "ECO-17"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-20"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-21"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-22.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "ECO-22"
},
{
"url": "http://dl.acm.org/citation.cfm?id=2592796",
"source_name": "Petsas",
"description": "Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, Sotiris Ioannidis. (2014, April). Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware. Retrieved December 12, 2016."
},
{
"url": "https://jon.oberheide.org/files/summercon12-bouncer.pdf",
"source_name": "Oberheide-Bouncer",
"description": "Jon Oberheide and Charlie Miller. (2012). Dissecting the Android Bouncer. Retrieved December 12, 2016."
},
{
"url": "https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH_US_12_Percoco_Adventures_in_Bouncerland_WP.pdf",
"source_name": "Percoco-Bouncer",
"description": "Nicholas J. Percoco and Sean Schulte. (2012). Adventures in BouncerLand. Retrieved December 12, 2016."
},
{
"url": "https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei",
"source_name": "Wang",
"description": "Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013, August). Jekyll on iOS: When Benign Apps Become Evil. Retrieved December 9, 2016."
},
{
"url": "https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/",
"source_name": "Oberheide-RemoteInstall",
"description": "Jon Oberheide. (2010, June 25). Remote Kill and Install on Google Android. Retrieved December 12, 2016."
},
{
"url": "http://www.vvdveen.com/publications/BAndroid.pdf",
"source_name": "Konoth",
"description": "Radhesh Krishnan Konoth, Victor van der Veen, and Herbert Bos. (n.d.). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Retrieved December 12, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T17:31:51.215Z",
"x_mitre_detection": "* An EMM/MDM or mobile threat defense solution can identify the presence of unwanted or known insecure or malicious apps on devices.\n* Developers can scan (or have a third party scan on their behalf) the app stores for presence of unauthorized apps that were submitted using the developer's identity.",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "initial-access",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"x_mitre_old_attack_id": "MOB-T1078",
"name": "Deliver Malicious App via Authorized App Store",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.\n\nApp stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses:\n\n* [Download New Code at Runtime](https://attack.mitre.org/techniques/T1407)\n* [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1406)\n* PRE-ATT&CK: [Choose pre-compromised mobile app developer account credentials or signing keys](https://attack.mitre.org/techniques/T1391)\n* PRE-ATT&CK: [Test ability to evade automated mobile application security analysis performed by app stores](https://attack.mitre.org/techniques/T1393)\n\nAdversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. (Citation: Petsas) (Citation: Oberheide-Bouncer) (Citation: Percoco-Bouncer) (Citation: Wang)\n\nAdversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. (Citation: Oberheide-Bouncer)\n\nAdversaries may also use control of a target's Google account to use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account. (Citation: Oberheide-RemoteInstall) (Citation: Konoth) (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1476",
"source_name": "mitre-mobile-attack",
"external_id": "T1476"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "AUT-9"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "ECO-13"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "ECO-21"
},
{
"url": "https://www.ibtimes.co.uk/danger-lurks-third-party-android-app-stores-1544861",
"source_name": "IBTimes-ThirdParty",
"description": "A Prasad. (2016, February 19). Danger lurks in third-party Android app stores. Retrieved November 8, 2018."
},
{
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/",
"source_name": "TrendMicro-RootingMalware",
"description": "Jordan Pan. (2016, February 10). User Beware: Rooting Malware Found in 3rd Party App Stores. Retrieved November 8, 2018."
},
{
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/flappy-bird-and-third-party-app-stores/",
"source_name": "TrendMicro-FlappyBird",
"description": "Veo Zhang. (2014, February 18). Flappy Bird and Third-Party App Stores. Retrieved November 8, 2018."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T14:08:44.916Z",
"x_mitre_detection": "* An EMM/MDM or mobile threat defense solution may be able to identify the presence of apps installed from sources other than an authorized app store. \n* An EMM/MDM or mobile threat defense solution may be able to identify Android devices configured to allow apps to be installed from \"Unknown Sources\".\n* Enterprise email security solutions can identify the presence of Android or iOS application packages within email messages.",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "initial-access",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"x_mitre_old_attack_id": "MOB-T1079",
"name": "Deliver Malicious App via Other Means",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.\n\nDelivery methods for the malicious application include:\n\n* [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) - Including the mobile app package as an attachment to an email message.\n* [Spearphishing Link](https://attack.mitre.org/techniques/T1192) - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.\n* Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.(Citation: IBTimes-ThirdParty)(Citation: TrendMicro-RootingMalware)(Citation: TrendMicro-FlappyBird)\n\nAs a prerequisite, adversaries may use this PRE-ATT&CK technique:\n\n* [Obtain Apple iOS enterprise distribution key pair and certificate](https://attack.mitre.org/techniques/T1392)",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1440",
"source_name": "mitre-mobile-attack",
"external_id": "T1440"
}
],
"id": "attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b",
"x_mitre_old_attack_id": "MOB-T1043",
"name": "Detect App Analysis Environment",
"created": "2017-10-25T14:48:26.473Z",
"revoked": true,
"modified": "2018-10-17T01:05:10.700Z",
"type": "attack-pattern",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_version": "1.0"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1419",
"source_name": "mitre-mobile-attack",
"external_id": "T1419"
},
{
"url": "https://zeltser.com/third-party-keyboards-security/",
"source_name": "Android-Build",
"description": "Android. (n.d.). Build. Retrieved December 21, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android"
],
"kill_chain_phases": [
{
"phase_name": "discovery",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05",
"x_mitre_old_attack_id": "MOB-T1022",
"name": "Device Type Discovery",
"created": "2017-10-25T14:48:28.456Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "On Android, device type information is accessible to apps through the android.os.Build class (Citation: Android-Build). Device information could be used to target privilege escalation exploits.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1459",
"source_name": "mitre-mobile-attack",
"external_id": "T1459"
}
],
"id": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a",
"x_mitre_old_attack_id": "MOB-T1062",
"name": "Device Unlock Code Guessing or Brute Force",
"created": "2017-10-25T14:48:23.652Z",
"revoked": true,
"modified": "2018-10-17T01:05:10.703Z",
"type": "attack-pattern",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_version": "1.0"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1408",
"source_name": "mitre-mobile-attack",
"external_id": "T1408"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "EMM-5"
},
{
"url": "https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf",
"source_name": "Brodie",
"description": "Daniel Brodie. (2016). Practical Attacks against Mobile Device Management (MDM). Retrieved December 21, 2016."
},
{
"url": "http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions",
"source_name": "Tan",
"description": "Vincent Tan. (2016, August). BAD FOR ENTERPRISE: ATTACKING BYOD ENTERPRISE MOBILE SECURITY SOLUTIONS. Retrieved February 4, 2017."
},
{
"url": "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf",
"source_name": "Rastogi",
"description": "Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T14:34:59.071Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "defense-evasion",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6",
"x_mitre_old_attack_id": "MOB-T1011",
"name": "Disguise Root/Jailbreak Indicators",
"created": "2017-10-25T14:48:14.003Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "An adversary could use knowledge of the techniques used by security software to evade detection(Citation: Brodie)(Citation: Tan). For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection(Citation: Rastogi).",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1466",
"source_name": "mitre-mobile-attack",
"external_id": "T1466"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "CEL-3"
},
{
"url": "http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf",
"source_name": "NIST-SP800187",
"description": "Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T15:16:13.386Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "network-effects",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34",
"x_mitre_old_attack_id": "MOB-T1069",
"name": "Downgrade to Insecure Protocols",
"created": "2017-10-25T14:48:21.667Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate(Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.",
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1407",
"source_name": "mitre-mobile-attack",
"external_id": "T1407"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-20"
},
{
"url": "https://www.internetsociety.org/sites/default/files/10_5_0.pdf",
"source_name": "Poeplau-ExecuteThis",
"description": "Sebastian Poeplau, Yanick Fratantonio, Antonio Bianchi, Christopher Kruegel, Giovanni Vigna. (2014, February). Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications. Retrieved December 21, 2016."
},
{
"url": "https://labs.bromium.com/2014/07/31/remote-code-execution-on-android-devices/",
"source_name": "Bromium-AndroidRCE",
"description": "Tom Sutcliffe. (2014, July 31). Remote code execution on Android devices. Retrieved December 9, 2016."
},
{
"url": "https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html",
"source_name": "FireEye-JSPatch",
"description": "Jing Xie, Zhaofeng Chen, Jimmy Su. (2016, January 27). HOT OR NOT? THE BENEFITS AND RISKS OF IOS REMOTE HOT PATCHING. Retrieved December 9, 2016."
},
{
"url": "https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei",
"source_name": "Wang",
"description": "Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013, August). Jekyll on iOS: When Benign Apps Become Evil. Retrieved December 9, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T14:32:59.309Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "defense-evasion",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"x_mitre_old_attack_id": "MOB-T1010",
"name": "Download New Code at Runtime",
"created": "2017-10-25T14:48:14.460Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "An app could download and execute dynamic code (not included in the original application package) after installation to evade static analysis techniques (and potentially dynamic analysis techniques) used for application vetting or application store review.(Citation: Poeplau-ExecuteThis)\n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that uses the Android WebView's JavascriptInterface capability.(Citation: Bromium-AndroidRCE)\n\nOn iOS, techniques also exist for executing dynamic code downloaded after application installation.(Citation: FireEye-JSPatch)(Citation: Wang)",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1456",
"source_name": "mitre-mobile-attack",
"external_id": "T1456"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "CEL-22"
},
{
"url": "https://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/",
"source_name": "Zimperium-Stagefright",
"description": "Zimperium. (2015, January 27). Experts Found a Unicorn in the Heart of Android. Retrieved December 23, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "initial-access",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
"x_mitre_old_attack_id": "MOB-T1059",
"name": "Drive-by Compromise",
"created": "2017-10-25T14:48:06.822Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "As described by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), a drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation. For example, a website may contain malicious media content intended to exploit vulnerabilities in media parsers as demonstrated by the Android Stagefright vulnerability (Citation: Zimperium-Stagefright).\n\n(This technique was formerly known as Malicious Web Content. It has been renamed to better align with ATT&CK for Enterprise.)",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1439",
"source_name": "mitre-mobile-attack",
"external_id": "T1439"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-0"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-1"
},
{
"url": "https://experts.illinois.edu/en/publications/security-concerns-in-android-mhealth-apps",
"source_name": "mHealth",
"description": "D. He et al.. (2014). Security Concerns in Android mHealth Apps. Retrieved December 24, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T14:54:29.631Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "network-effects",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--393e8c12-a416-4575-ba90-19cc85656796",
"x_mitre_old_attack_id": "MOB-T1042",
"name": "Eavesdrop on Insecure Network Communication",
"created": "2017-10-25T14:48:26.104Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication.(Citation: mHealth)",
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1471",
"source_name": "mitre-mobile-attack",
"external_id": "T1471"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-28"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-07-19T17:44:53.176Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android"
],
"kill_chain_phases": [
{
"phase_name": "impact",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4",
"x_mitre_old_attack_id": "MOB-T1074",
"name": "Encrypt Files",
"created": "2017-10-25T14:48:10.285Z",
"x_mitre_version": "2.0",
"type": "attack-pattern",
"description": "An adversary may encrypt files stored on the mobile device to prevent the user from accessing them, for example with the intent of only unlocking access to the files after a ransom is paid. Without escalated privileges, the adversary is generally limited to only encrypting files in external/shared storage locations. This technique has been demonstrated on Android. We are unaware of any demonstrated use on iOS.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1455",
"source_name": "mitre-mobile-attack",
"external_id": "T1455"
}
],
"id": "attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f",
"x_mitre_old_attack_id": "MOB-T1058",
"name": "Exploit Baseband Vulnerability",
"created": "2017-10-25T14:48:07.149Z",
"revoked": true,
"modified": "2018-10-17T01:05:10.702Z",
"type": "attack-pattern",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_version": "1.0"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1428",
"source_name": "mitre-mobile-attack",
"external_id": "T1428"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-32.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-32"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "lateral-movement",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d",
"x_mitre_old_attack_id": "MOB-T1031",
"name": "Exploit Enterprise Resources",
"created": "2017-10-25T14:48:13.259Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "Adversaries may attempt to exploit enterprise servers, workstations, or other resources over the network. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1404",
"source_name": "mitre-mobile-attack",
"external_id": "T1404"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-26"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "privilege-escalation",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"x_mitre_old_attack_id": "MOB-T1007",
"name": "Exploit OS Vulnerability",
"created": "2017-10-25T14:48:29.405Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "A malicious app can exploit unpatched vulnerabilities in the operating system to obtain escalated privileges.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1449",
"source_name": "mitre-mobile-attack",
"external_id": "T1449"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-37.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "CEL-37"
},
{
"url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf",
"source_name": "Engel-SS7",
"description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016."
},
{
"url": "https://www.youtube.com/watch?v=q0n5ySqbfdI",
"source_name": "Engel-SS7-2008",
"description": "Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016."
},
{
"url": "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf",
"source_name": "3GPP-Security",
"description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016."
},
{
"url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf",
"source_name": "Positive-SS7",
"description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016."
},
{
"url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf",
"source_name": "CSRIC5-WG10-FinalReport",
"description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017."
},
{
"url": "https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/",
"source_name": "TheRegister-SS7",
"description": "Iain Thomson. (2017, May 3). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts. Retrieved November 8, 2018."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T16:28:52.821Z",
"x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation as described by the Communications, Security, Reliability, and Interoperability Council (CSRIC). (Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "network-effects",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d",
"x_mitre_old_attack_id": "MOB-T1052",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"created": "2017-10-25T14:48:06.524Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker's control. The adversary could then act as a man-in-the-middle to intercept or manipulate the communication. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport) Interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication(Citation: TheRegister-SS7).",
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1450",
"source_name": "mitre-mobile-attack",
"external_id": "T1450"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "CEL-38"
},
{
"url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf",
"source_name": "Engel-SS7",
"description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016."
},
{
"url": "https://www.youtube.com/watch?v=q0n5ySqbfdI",
"source_name": "Engel-SS7-2008",
"description": "Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016."
},
{
"url": "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf",
"source_name": "3GPP-Security",
"description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016."
},
{
"url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf",
"source_name": "Positive-SS7",
"description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016."
},
{
"url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf",
"source_name": "CSRIC5-WG10-FinalReport",
"description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017."
},
{
"source_name": "CSRIC-WG1-FinalReport",
"description": "CSRIC-WG1-FinalReport"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T15:06:10.014Z",
"x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC-WG1-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "network-effects",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5",
"x_mitre_old_attack_id": "MOB-T1053",
"name": "Exploit SS7 to Track Device Location",
"created": "2017-10-25T14:48:09.864Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "An adversary could exploit signaling system vulnerabilities to track the location of mobile devices. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport)",
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1405",
"source_name": "mitre-mobile-attack",
"external_id": "T1405"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-27"
},
{
"url": "https://usmile.at/symposium/program/2015/thomas-holmes",
"source_name": "Thomas-TrustZone",
"description": "Josh Thomas and Charles Holmes. (2015, September). An infestation of dragons: Exploring vulnerabilities in the ARM TrustZone architecture. Retrieved December 9, 2016."
},
{
"url": "https://bits-please.blogspot.in/2016/06/extracting-qualcomms-keymaster-keys.html",
"source_name": "QualcommKeyMaster",
"description": "laginimaineb. (2016, June). Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption. Retrieved December 9, 2016."
},
{
"url": "https://usmile.at/symposium/program/2015/ekberg",
"source_name": "EkbergTEE",
"description": "Jan-Erik Ekberg. (2015, September 10). Android and trusted execution environments. Retrieved December 9, 2016."
},
{
"url": "http://bits-please.blogspot.co.il/2016/05/war-of-worlds-hijacking-linux-kernel.html",
"source_name": "laginimaineb-TEE",
"description": "laginimaineb. (2016, May). War of the Worlds - Hijacking the Linux Kernel from QSEE. Retrieved December 21, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android"
],
"kill_chain_phases": [
{
"phase_name": "credential-access",
"kill_chain_name": "mitre-mobile-attack"
},
{
"phase_name": "privilege-escalation",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884",
"x_mitre_old_attack_id": "MOB-T1008",
"name": "Exploit TEE Vulnerability",
"created": "2017-10-25T14:48:22.716Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone). The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data (Citation: QualcommKeyMaster). Escalated operating system privileges may be first required in order to have the ability to attack the TEE (Citation: EkbergTEE). If not, privileges within the TEE can potentially be used to exploit the operating system (Citation: laginimaineb-TEE).",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1458",
"source_name": "mitre-mobile-attack",
"external_id": "T1458"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "PHY-1"
},
{
"url": "http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/",
"source_name": "Krebs-JuiceJacking",
"description": "Brian Krebs. (2011, August 17). Beware of Juice-Jacking. Retrieved December 23, 2016."
},
{
"url": "https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf",
"source_name": "Lau-Mactans",
"description": "Lau et al.. (2013). Mactans: Injecting Malware Into iOS Devices Via Malicious Chargers. Retrieved December 23, 2016."
},
{
"url": "https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/",
"source_name": "IBM-NexusUSB",
"description": "Roee Hay. (2017, January 5). Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes. Retrieved January 11, 2017."
},
{
"url": "https://googleprojectzero.blogspot.com/2018/09/oatmeal-on-universal-cereal-bus.html",
"source_name": "GoogleProjectZero-OATmeal",
"description": "Jann Horn. (2018, September 10). OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB. Retrieved September 18, 2018."
},
{
"url": "https://www.computerworld.com/article/3268729/apple-ios/two-vendors-now-sell-iphone-cracking-technology-and-police-are-buying.html",
"source_name": "Computerworld-iPhoneCracking",
"description": "Lucas Mearian. (2018, May 9). Two vendors now sell iPhone cracking technology \u2013 and police are buying. Retrieved September 21, 2018."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T15:10:41.460Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "initial-access",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"x_mitre_old_attack_id": "MOB-T1061",
"name": "Exploit via Charging Station or PC",
"created": "2017-10-25T14:48:23.233Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "If the mobile device is connected (typically via USB) to a charging station or a PC, for example to charge the device's battery, then a compromised or malicious charging station or PC could attempt to exploit the mobile device via the connection(Citation: Krebs-JuiceJacking).\n\nPrevious demonstrations have included:\n\n* Injecting malicious applications into iOS devices(Citation: Lau-Mactans).\n* Exploiting a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location(Citation: IBM-NexusUSB).\n* Exploiting Android devices such as the Google Pixel 2 over USB(Citation: GoogleProjectZero-OATmeal).\n\nProducts from Cellebrite and Grayshift purportedly can use physical access to the data port to unlock the passcode on some iOS devices(Citation: Computerworld-iPhoneCracking).",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1477",
"source_name": "mitre-mobile-attack",
"external_id": "T1477"
},
{
"url": "https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html",
"source_name": "ProjectZero-BroadcomWiFi",
"description": "Gal Beniamini. (2017, April 4). Over The Air: Exploiting Broadcom's Wi-Fi Stack. Retrieved November 8, 2018."
},
{
"url": "http://www.theregister.co.uk/2015/11/12/mobile_pwn2own1/",
"source_name": "Register-BaseStation",
"description": "D. Pauli. (2015, November 12). Samsung S6 calls open to man-in-the-middle base station snooping. Retrieved December 23, 2016."
},
{
"url": "https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf",
"source_name": "Weinmann-Baseband",
"description": "R. Weinmann. (2012, August 6-7). Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks. Retrieved December 23, 2016."
},
{
"url": "http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html",
"source_name": "Forbes-iPhoneSMS",
"description": "Andy Greenberg. (2009, July 28). How to Hijack 'Every iPhone In The World'. Retrieved December 23, 2016."
},
{
"url": "https://srlabs.de/bites/rooting-sim-cards/",
"source_name": "SRLabs-SIMCard",
"description": "SRLabs. (n.d.). SIM cards are prone to remote hacking. Retrieved December 23, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T15:19:22.439Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "initial-access",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5",
"x_mitre_old_attack_id": "MOB-T1080",
"name": "Exploit via Radio Interfaces",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "The mobile device may be targeted for exploitation through its interface to cellular networks or other radio interfaces.\n\n### Baseband Vulnerability Exploitation\n\nA message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi(Citation: ProjectZero-BroadcomWiFi) or other) to the mobile device could exploit a vulnerability in code running on the device(Citation: Register-BaseStation)(Citation: Weinmann-Baseband).\n\n### Malicious SMS Message\n\nAn SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device(Citation: Forbes-iPhoneSMS). An SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser. Vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages(Citation: SRLabs-SIMCard).",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1442",
"source_name": "mitre-mobile-attack",
"external_id": "T1442"
}
],
"id": "attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9",
"x_mitre_old_attack_id": "MOB-T1045",
"name": "Fake Developer Accounts",
"created": "2017-10-25T14:48:28.786Z",
"revoked": true,
"modified": "2018-10-17T01:05:10.701Z",
"type": "attack-pattern",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_version": "1.0"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1420",
"source_name": "mitre-mobile-attack",
"external_id": "T1420"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android"
],
"kill_chain_phases": [
{
"phase_name": "discovery",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
"x_mitre_old_attack_id": "MOB-T1023",
"name": "File and Directory Discovery",
"created": "2017-10-25T14:48:21.965Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "On Android, command line tools or the Java file APIs can be used to enumerate file system contents. However, Linux file permissions and SELinux policies generally strongly restrict what can be accessed by apps (without taking advantage of a privilege escalation exploit). The contents of the external storage directory are generally visible, which could present concern if sensitive data is inappropriately stored there.\n\niOS's security architecture generally restricts the ability to perform file and directory discovery without use of escalated privileges.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1472",
"source_name": "mitre-mobile-attack",
"external_id": "T1472"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-07-19T17:44:53.176Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "impact",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
"x_mitre_old_attack_id": "MOB-T1075",
"name": "Generate Fraudulent Advertising Revenue",
"created": "2017-10-25T14:48:18.937Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1425",
"source_name": "mitre-mobile-attack",
"external_id": "T1425"
}
],
"id": "attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799",
"x_mitre_old_attack_id": "MOB-T1028",
"name": "Insecure Third-Party Libraries",
"created": "2017-10-25T14:48:30.462Z",
"revoked": true,
"modified": "2018-10-17T01:05:10.699Z",
"type": "attack-pattern",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_version": "1.0"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1478",
"source_name": "mitre-mobile-attack",
"external_id": "T1478"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "STA-7"
},
{
"url": "https://www.symantec.com/connect/blogs/malicious-profiles-sleeping-giant-ios-security",
"source_name": "Symantec-iOSProfile",
"description": "Yair Amit. (2013, March 12). Malicious Profiles \u2013 The Sleeping Giant of iOS Security. Retrieved September 24, 2018."
},
{
"url": "https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html",
"source_name": "Talos-MDM",
"description": "Warren Mercer, Paul Rascagneres, Andrew Williams. (2018, July 12). Advanced Mobile Malware Campaign in India uses Malicious MDM. Retrieved September 24, 2018."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"x_mitre_detection": "On Android, the user can view trusted CA certificates through the device settings and look for unexpected certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies.\n\nOn iOS, the user can view installed Configuration Profiles through the device settings and look for unexpected profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "defense-evasion",
"kill_chain_name": "mitre-mobile-attack"
},
{
"phase_name": "initial-access",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2",
"x_mitre_old_attack_id": "MOB-T1081",
"name": "Install Insecure or Malicious Configuration",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings. The device user may be tricked into installing the configuration settings through social engineering techniques (Citation: Symantec-iOSProfile).\n\nFor example, an unwanted Certification Authority (CA) certificate could be placed in the device's trusted certificate store, increasing the device's susceptibility to man-in-the-middle network attacks seeking to eavesdrop on or manipulate the device's network communication ([Eavesdrop on Insecure Network Communication](https://attack.mitre.org/techniques/T1439) and [Manipulate Device Communication](https://attack.mitre.org/techniques/T1463)).\n\nOn iOS, malicious Configuration Profiles could contain unwanted Certification Authority (CA) certificates or other insecure settings such as unwanted proxy server or VPN settings to route the device's network traffic through an adversary's system. The device could also potentially be enrolled into a malicious Mobile Device Management (MDM) system (Citation: Talos-MDM).",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1464",
"source_name": "mitre-mobile-attack",
"external_id": "T1464"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "CEL-7"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-8.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "CEL-8"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-5.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "LPN-5"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/gps-threats/GPS-0.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "GPS-0"
},
{
"url": "http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf",
"source_name": "NIST-SP800187",
"description": "Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017."
},
{
"url": "https://www.cnet.com/news/man-put-cell-phone-jammer-in-car-to-stop-driver-calls-fcc-says/",
"source_name": "CNET-Celljammer",
"description": "Chris Matyszczyk. (2014, May 1). FCC: Man used device to jam drivers' cell phone calls. Retrieved November 8, 2018."
},
{
"url": "https://www.nytimes.com/2007/11/04/technology/04jammer.html",
"source_name": "NYTimes-Celljam",
"description": "Matt Richtel. (2007, November 4). Devices Enforce Silence of Cellphones, Illegally. Retrieved November 8, 2018."
},
{
"url": "https://www.digitaltrends.com/mobile/florida-teacher-punished-after-signal-jamming-his-students-cell-phones/",
"source_name": "Digitaltrends-Celljam",
"description": "Trevor Mogg. (2015, June 5). Florida teacher punished after signal-jamming his students\u2019 cell phones. Retrieved November 8, 2018."
},
{
"url": "https://arstechnica.com/tech-policy/2016/03/man-accused-of-jamming-passengers-cell-phones-on-chicago-subway/",
"source_name": "Arstechnica-Celljam",
"description": "David Kravets. (2016, March 10). Man accused of jamming passengers\u2019 cell phones on Chicago subway. Retrieved November 8, 2018."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T14:15:21.946Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "network-effects",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d",
"x_mitre_old_attack_id": "MOB-T1067",
"name": "Jamming or Denial of Service",
"created": "2017-10-25T14:48:25.740Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "An attacker could jam radio signals (e.g. Wi-Fi, cellular, GPS) to prevent the mobile device from communicating. (Citation: NIST-SP800187)(Citation: CNET-Celljammer)(Citation: NYTimes-Celljam)(Citation: Digitaltrends-Celljam)(Citation: Arstechnica-Celljam)",
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1430",
"source_name": "mitre-mobile-attack",
"external_id": "T1430"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-24.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-24"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access device location through the device settings screen, and the user can choose to revoke the permissions.",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "collection",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"x_mitre_old_attack_id": "MOB-T1033",
"name": "Location Tracking",
"created": "2017-10-25T14:48:12.267Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "An adversary could use a malicious or exploited application to surreptitiously track the device's physical location through use of standard operating system APIs.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1446",
"source_name": "mitre-mobile-attack",
"external_id": "T1446"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-28"
},
{
"url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/",
"source_name": "Xiao-KeyRaider",
"description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-07-19T17:44:53.176Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "impact",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"x_mitre_old_attack_id": "MOB-T1049",
"name": "Lock User Out of Device",
"created": "2017-10-25T14:48:17.886Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "An adversary may seek to lock the legitimate user out of the device, for example until a ransom is paid.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to lock the user out of the device.\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been demonstrated that can lock the user out of the device (Citation: Xiao-KeyRaider).",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1461",
"source_name": "mitre-mobile-attack",
"external_id": "T1461"
},
{
"url": "https://srlabs.de/bites/spoofing-fingerprints/",
"source_name": "SRLabs-Fingerprint",
"description": "SRLabs. (n.d.). Fingerprints are not fit for secure device unlocking. Retrieved December 23, 2016."
},
{
"url": "https://thehackernews.com/2016/05/android-kernal-exploit.htmlhttps://www.secureidnews.com/news-item/another-spoof-of-mobile-biometrics/",
"source_name": "SecureIDNews-Spoof",
"description": "Zack Martin. (2016, March 11). Another spoof of mobile biometrics. Retrieved September 18, 2018."
},
{
"url": "https://www.thesun.co.uk/tech/5584082/iphone-x-face-unlock-tricked-broken/",
"source_name": "TheSun-FaceID",
"description": "Sean Keach. (2018, February 15). Brit mates BREAK Apple\u2019s face unlock and vow to never buy iPhone again. Retrieved September 18, 2018."
},
{
"url": "https://support.apple.com/en-us/HT204587",
"source_name": "Apple-TouchID",
"description": "Apple. (2015, November 3). About Touch ID security on iPhone and iPad. Retrieved December 23, 2016."
},
{
"url": "https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/",
"source_name": "Wired-AndroidBypass",
"description": "Andy Greenberg. (2015, September 15). Hack Brief: Emergency Number Hack Bypasses Android Lock Screens. Retrieved December 23, 2016."
},
{
"url": "https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/",
"source_name": "Kaspersky-iOSBypass",
"description": "Chris Brook. (2016, November 17). iOS 10 Passcode Bypass Can Access Photos, Contacts. Retrieved December 23, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T17:08:07.111Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "initial-access",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
"x_mitre_old_attack_id": "MOB-T1064",
"name": "Lockscreen Bypass",
"created": "2017-10-25T14:48:24.488Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "An adversary with physical access to a mobile device may seek to bypass the device's lockscreen.\n\n### Biometric Spoofing\nIf biometric authentication is used, an adversary could attempt to spoof a mobile device's biometric authentication mechanism(Citation: SRLabs-Fingerprint)(Citation: SecureIDNews-Spoof)(Citation: TheSun-FaceID).\n\niOS partly mitigates this attack by requiring the device passcode rather than a fingerprint to unlock the device after every device restart and after 48 hours since the device was last unlocked (Citation: Apple-TouchID). Android has similar mitigations.\n\n### Device Unlock Code Guessing or Brute Force\nAn adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (\"shoulder surfing\") the device owner's use of the lockscreen passcode. \n\n### Exploit Other Device Lockscreen Vulnerabilities\nTechniques have periodically been demonstrated that exploit vulnerabilities on Android (Citation: Wired-AndroidBypass), iOS (Citation: Kaspersky-iOSBypass), or other mobile devices to bypass the device lockscreen. The vulnerabilities are generally patched by the device/operating system vendor once they become aware of their existence.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1457",
"source_name": "mitre-mobile-attack",
"external_id": "T1457"
}
],
"id": "attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431",
"x_mitre_old_attack_id": "MOB-T1060",
"name": "Malicious Media Content",
"created": "2017-10-25T14:48:19.682Z",
"revoked": true,
"modified": "2018-10-17T01:05:10.703Z",
"type": "attack-pattern",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_version": "1.0"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1454",
"source_name": "mitre-mobile-attack",
"external_id": "T1454"
}
],
"id": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d",
"x_mitre_old_attack_id": "MOB-T1057",
"name": "Malicious SMS Message",
"created": "2017-10-25T14:48:08.155Z",
"revoked": true,
"modified": "2019-04-29T19:35:30.985Z",
"type": "attack-pattern",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_version": "1.0"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1462",
"source_name": "mitre-mobile-attack",
"external_id": "T1462"
}
],
"id": "attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc",
"x_mitre_old_attack_id": "MOB-T1065",
"name": "Malicious Software Development Tools",
"created": "2017-10-25T14:48:24.905Z",
"revoked": true,
"modified": "2018-10-17T01:05:10.704Z",
"type": "attack-pattern",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_version": "1.0"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1417",
"source_name": "mitre-mobile-attack",
"external_id": "T1417"
},
{
"url": "https://zeltser.com/third-party-keyboards-security/",
"source_name": "Zeltser-Keyboard",
"description": "Lenny Zeltser. (2016, July 30). Security of Third-Party Keyboard Apps on Mobile Devices. Retrieved December 21, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T14:46:13.331Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "collection",
"kill_chain_name": "mitre-mobile-attack"
},
{
"phase_name": "credential-access",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
"x_mitre_old_attack_id": "MOB-T1020",
"name": "Malicious Third Party Keyboard App",
"created": "2017-10-25T14:48:27.660Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "A malicious app can register as a device keyboard and intercept keypresses containing sensitive values such as usernames and passwords(Citation: Zeltser-Keyboard).\n\nBoth iOS and Android require the user to explicitly authorize use of third party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1473",
"source_name": "mitre-mobile-attack",
"external_id": "T1473"
}
],
"id": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df",
"x_mitre_old_attack_id": "MOB-T1076",
"name": "Malicious or Vulnerable Built-in Device Functionality",
"created": "2017-10-25T14:48:09.446Z",
"revoked": true,
"modified": "2018-10-17T01:05:10.704Z",
"type": "attack-pattern",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_version": "1.0"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1452",
"source_name": "mitre-mobile-attack",
"external_id": "T1452"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-07-19T17:44:53.176Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "impact",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69",
"x_mitre_old_attack_id": "MOB-T1055",
"name": "Manipulate App Store Rankings or Ratings",
"created": "2017-10-25T14:48:07.460Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1463",
"source_name": "mitre-mobile-attack",
"external_id": "T1463"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-1"
},
{
"url": "https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html",
"source_name": "FireEye-SSL",
"description": "Adrian Mettler, Yulong Zhang, Vishwanath Raman. (2014, August 20). SSL VULNERABILITIES: WHO LISTENS WHEN ANDROID APPLICATIONS TALK?. Retrieved December 24, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "network-effects",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63",
"x_mitre_old_attack_id": "MOB-T1066",
"name": "Manipulate Device Communication",
"created": "2017-10-25T14:48:25.322Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to man-in-the-middle attacks (Citation: FireEye-SSL).",
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1429",
"source_name": "mitre-mobile-attack",
"external_id": "T1429"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-19"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to use the microphone or the camera through the device settings screen, and the user can choose to revoke the permissions.",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "collection",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"x_mitre_old_attack_id": "MOB-T1032",
"name": "Microphone or Camera Recordings",
"created": "2017-10-25T14:48:12.913Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "An adversary could use a malicious or exploited application to surreptitiously record activities using the device microphone and/or camera through use of standard operating system APIs.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1398",
"source_name": "mitre-mobile-attack",
"external_id": "T1398"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-26"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-27"
},
{
"url": "https://www2.samsungknox.com/en/faq/what-knox-warranty-bit-and-how-it-triggered",
"source_name": "Samsung-KnoxWarrantyBit",
"description": "Samsung. (n.d.). What is a Knox Warranty Bit and how is it triggered?. Retrieved December 21, 2016."
},
{
"url": "https://www.apple.com/business/docs/iOS_Security_Guide.pdf",
"source_name": "Apple-iOSSecurityGuide",
"description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"x_mitre_detection": "The Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices. Samsung KNOX also provides a remote attestation capability on supported Samsung Android devices.\n\nSamsung KNOX devices include a non-reversible Knox warranty bit fuse that is triggered \"if a non-Knox kernel has been loaded on the device\" (Citation: Samsung-KnoxWarrantyBit). If triggered, enterprise Knox container services will no longer be available on the device.\n\nAs described in the iOS Security Guide (Citation: Apple-iOSSecurityGuide), iOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.\n\nMany enterprise applications perform their own checks to detect and respond to compromised devices. These checks are not foolproof but can detect common signs of compromise.",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "defense-evasion",
"kill_chain_name": "mitre-mobile-attack"
},
{
"phase_name": "persistence",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
"x_mitre_old_attack_id": "MOB-T1001",
"name": "Modify OS Kernel or Boot Partition",
"created": "2017-10-25T14:48:31.294Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device kernel or other boot partition components, where the code may evade detection, may persist after device resets, and may not be removable by the device user. In some cases (e.g., the Samsung Knox warranty bit as described under Detection), the attack may be detected but could result in the device being placed in a state that no longer allows certain functionality.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes, but doing so introduces the potential ability for others to maliciously update the kernel or other boot partition code.\n\nIf the bootloader is not unlocked, it may still be possible to exploit device vulnerabilities to update the code.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1400",
"source_name": "mitre-mobile-attack",
"external_id": "T1400"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-27"
},
{
"url": "https://source.android.com/security/verifiedboot/",
"source_name": "Android-VerifiedBoot",
"description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016."
},
{
"url": "https://www.apple.com/business/docs/iOS_Security_Guide.pdf",
"source_name": "Apple-iOSSecurityGuide",
"description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T14:24:47.779Z",
"x_mitre_detection": "Android devices with the Verified Boot capability (Citation: Android-VerifiedBoot) perform cryptographic checks of the integrity of the system partition.\n\nThe Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices.\n\nSamsung KNOX also provides a remote attestation capability on supported Samsung Android devices.\n\niOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.(Citation: Apple-iOSSecurityGuide)",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "defense-evasion",
"kill_chain_name": "mitre-mobile-attack"
},
{
"phase_name": "persistence",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"x_mitre_old_attack_id": "MOB-T1003",
"name": "Modify System Partition",
"created": "2017-10-25T14:48:30.890Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1399",
"source_name": "mitre-mobile-attack",
"external_id": "T1399"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-27"
},
{
"url": "https://hackinparis.com/data/slides/2013/Slidesthomasroth.pdf",
"source_name": "Roth-Rootkits",
"description": "Thomas Roth. (2013). Next generation mobile rootkits. Retrieved December 21, 2016."
},
{
"url": "https://www.apple.com/business/docs/iOS_Security_Guide.pdf",
"source_name": "Apple-iOSSecurityGuide",
"description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T14:23:10.576Z",
"x_mitre_detection": "Devices may perform cryptographic integrity checks of code running within the TEE at boot time.\n\niOS devices will fail to boot if the software running within the Secure Enclave does not pass signature verification.(Citation: Apple-iOSSecurityGuide)",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android"
],
"kill_chain_phases": [
{
"phase_name": "defense-evasion",
"kill_chain_name": "mitre-mobile-attack"
},
{
"phase_name": "persistence",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468",
"x_mitre_old_attack_id": "MOB-T1002",
"name": "Modify Trusted Execution Environment",
"created": "2017-10-25T14:48:18.583Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.(Citation: Roth-Rootkits)",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1403",
"source_name": "mitre-mobile-attack",
"external_id": "T1403"
},
{
"url": "https://www.blackhat.com/docs/asia-15/materials/asia-15-Sabanal-Hiding-Behind-ART-wp.pdf",
"source_name": "Sabanal-ART",
"description": "Paul Sabanal. (2015). Hiding Behind ART. Retrieved December 21, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android"
],
"kill_chain_phases": [
{
"phase_name": "persistence",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6",
"x_mitre_old_attack_id": "MOB-T1006",
"name": "Modify cached executable code",
"created": "2017-10-25T14:48:29.092Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "ART (the Android Runtime) compiles optimized code on the device itself to improve performance. If an adversary can escalate privileges, he or she may be able to use those privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.\n\nSabanal describes the potential use of this technique in (Citation: Sabanal-ART).",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1423",
"source_name": "mitre-mobile-attack",
"external_id": "T1423"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "discovery",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790",
"x_mitre_old_attack_id": "MOB-T1026",
"name": "Network Service Scanning",
"created": "2017-10-25T14:48:26.890Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1410",
"source_name": "mitre-mobile-attack",
"external_id": "T1410"
},
{
"url": "https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/",
"source_name": "Skycure-Profiles",
"description": "Yair Amit. (2013, March 12). Malicious Profiles - The Sleeping Giant of iOS Security. Retrieved December 22, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"x_mitre_detection": "On both Android and iOS the user must grant consent to an app to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is in place.",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "collection",
"kill_chain_name": "mitre-mobile-attack"
},
{
"phase_name": "credential-access",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9",
"x_mitre_old_attack_id": "MOB-T1013",
"name": "Network Traffic Capture or Redirection",
"created": "2017-10-25T14:48:14.982Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.\n\nA malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.\n\nAlternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.\n\nAn adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device's proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.\n\nIf applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1406",
"source_name": "mitre-mobile-attack",
"external_id": "T1406"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-21"
},
{
"url": "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf",
"source_name": "Rastogi",
"description": "Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016."
},
{
"url": "http://ieeexplore.ieee.org/document/6234407",
"source_name": "Zhou",
"description": "Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016."
},
{
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/",
"source_name": "TrendMicro-Obad",
"description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016."
},
{
"url": "http://www.slideshare.net/Shakacon/fruit-vs-zombies-defeat-nonjailbroken-ios-malware-by-claud-xiao",
"source_name": "Xiao-iOS",
"description": "Claud Xiao. (2016, July). Fruit vs Zombies: Defeat Non-jailbroken iOS Malware. Retrieved December 9, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T14:30:05.159Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "defense-evasion",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"x_mitre_old_attack_id": "MOB-T1009",
"name": "Obfuscated Files or Information",
"created": "2017-10-25T14:48:32.328Z",
"x_mitre_version": "2.0",
"type": "attack-pattern",
"description": "An app could contain malicious code in obfuscated or encrypted form, then deobfuscate or decrypt the code at runtime to evade many app vetting techniques.(Citation: Rastogi) (Citation: Zhou) (Citation: TrendMicro-Obad) (Citation: Xiao-iOS)",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1470",
"source_name": "mitre-mobile-attack",
"external_id": "T1470"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-0.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "ECO-0"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-1.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "ECO-1"
},
{
"url": "https://www.elcomsoft.com/eppb.html",
"source_name": "Elcomsoft-EPPB",
"description": "Elcomsoft. (n.d.). Elcomsoft Phone Breaker. Retrieved December 29, 2016."
},
{
"url": "https://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/",
"source_name": "Elcomsoft-WhatsApp",
"description": "Oleg Afonin. (2017, July 20). Extract and Decrypt WhatsApp Backups from iCloud. Retrieved July 6, 2018."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"x_mitre_detection": "Google provides the ability for users to view their account activity. Apple iCloud also provides notifications to users of account activity.",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "remote-service-effects",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d",
"x_mitre_old_attack_id": "MOB-T1073",
"name": "Obtain Device Cloud Backups",
"created": "2017-10-25T14:48:18.237Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB). Elcomsoft also describes (Citation: Elcomsoft-WhatsApp) obtaining WhatsApp communication histories from backups stored in iCloud.",
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1448",
"source_name": "mitre-mobile-attack",
"external_id": "T1448"
},
{
"url": "https://blog.lookout.com/10-organizations-build-60-of-russian-toll-fraud-malware",
"source_name": "Lookout-SMS",
"description": "Ryan Sammy. (2013, August 2). 10 Organizations Build 60% of Russian Toll Fraud Malware. Retrieved December 22, 2016."
},
{
"url": "https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2014_Report_Final.pdf",
"source_name": "AndroidSecurity2014",
"description": "Google. (2014). Android Security 2014 Year in Review. Retrieved December 12, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-07-19T17:44:53.176Z",
"x_mitre_detection": "Starting with Android 4.2 the user is prompted and must provide consent before applications can send SMS messages to premium numbers.(Citation: AndroidSecurity2014)\n\nOn Android 6.0 and up, the user can view which applications have permission to send SMS messages through the device settings screen, and the user can choose to revoke the permissions.",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android"
],
"kill_chain_phases": [
{
"phase_name": "impact",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
"x_mitre_old_attack_id": "MOB-T1051",
"name": "Premium SMS Toll Fraud",
"created": "2017-10-25T14:48:09.082Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "A malicious app could use standard Android APIs to send SMS messages. SMS messages could potentially be sent to premium numbers that charge the device owner and generate revenue for an adversary(Citation: Lookout-SMS).\n\nOn iOS, apps cannot send SMS messages.\n\nOn Android, apps must hold the SEND_SMS permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1424",
"source_name": "mitre-mobile-attack",
"external_id": "T1424"
},
{
"url": "https://code.google.com/p/android/issues/detail?id=205565",
"source_name": "Android-SELinuxChanges",
"description": "Various. (2016, March 31). Overly restrictive SELinux filesystem permissions in Android N. Retrieved December 21, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android"
],
"kill_chain_phases": [
{
"phase_name": "discovery",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
"x_mitre_old_attack_id": "MOB-T1027",
"name": "Process Discovery",
"created": "2017-10-25T14:48:33.926Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "On Android versions prior to 5, applications can observe information about other processes that are running through methods in the ActivityManager class. On Android versions prior to 7, applications can obtain this information by executing the ps command, or by examining the /proc directory. Starting in Android version 7, use of the Linux kernel's hidepid feature prevents applications (without escalated privileges) from accessing this information (Citation: Android-SELinuxChanges).",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1443",
"source_name": "mitre-mobile-attack",
"external_id": "T1443"
}
],
"id": "attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16",
"x_mitre_old_attack_id": "MOB-T1046",
"name": "Remotely Install Application",
"created": "2017-10-25T14:48:34.830Z",
"revoked": true,
"modified": "2018-10-17T01:05:10.701Z",
"type": "attack-pattern",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_version": "1.0"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1468",
"source_name": "mitre-mobile-attack",
"external_id": "T1468"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "ECO-5"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "EMM-7"
},
{
"url": "https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/",
"source_name": "Krebs-Location",
"description": "Brian Krebs. (2018, May 17). Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site. Retrieved November 8, 2018."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T14:16:59.424Z",
"x_mitre_detection": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "remote-service-effects",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a",
"x_mitre_old_attack_id": "MOB-T1071",
"name": "Remotely Track Device Without Authorization",
"created": "2017-10-25T14:48:21.023Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.(Citation: Krebs-Location)",
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1469",
"source_name": "mitre-mobile-attack",
"external_id": "T1469"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "ECO-5"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "EMM-7"
},
{
"url": "https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/",
"source_name": "Honan-Hacking",
"description": "Mat Honan. (2012, August 6). How Apple and Amazon Security Flaws Led to My Epic Hacking. Retrieved December 29, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"x_mitre_detection": "Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "remote-service-effects",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067",
"x_mitre_old_attack_id": "MOB-T1072",
"name": "Remotely Wipe Data Without Authorization",
"created": "2017-10-25T14:48:07.827Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an EMM console could use that access to wipe enrolled devices (Citation: Honan-Hacking).",
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1444",
"source_name": "mitre-mobile-attack",
"external_id": "T1444"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-14"
},
{
"url": "http://ieeexplore.ieee.org/document/6234407",
"source_name": "Zhou",
"description": "Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T15:00:50.984Z",
"x_mitre_detection": "An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices.",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "initial-access",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"x_mitre_old_attack_id": "MOB-T1047",
"name": "Repackaged Application",
"created": "2017-10-25T14:48:35.247Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "An adversary could download a legitimate app, disassemble it, add malicious code, and then reassemble the app(Citation: Zhou). The app would appear to be the original app but contain additional malicious functionality. The adversary could then publish this app to app stores or use another delivery technique.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1467",
"source_name": "mitre-mobile-attack",
"external_id": "T1467"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "CEL-7"
},
{
"url": "http://www.computerworld.com/article/2484538/cybercrime-hacking/researchers-exploit-cellular-tech-flaws-to-intercept-phone-calls.html",
"source_name": "Computerworld-Femtocell",
"description": "Jaikumar Vijayan. (2013, August 1). Researchers exploit cellular tech flaws to intercept phone calls. Retrieved December 24, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T15:17:11.346Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "network-effects",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed",
"x_mitre_old_attack_id": "MOB-T1070",
"name": "Rogue Cellular Base Station",
"created": "2017-10-25T14:48:22.296Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. A compromised cellular femtocell could be used to carry out this technique(Citation: Computerworld-Femtocell).",
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1465",
"source_name": "mitre-mobile-attack",
"external_id": "T1465"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-0.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "LPN-0"
},
{
"url": "http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-153.pdf",
"source_name": "NIST-SP800153",
"description": "M. Souppaya and K. Scarfone. (2012, February). NIST SP 800-153 Guidelines for Securing Wireless Local Area Networks (WLANs). Retrieved December 24, 2016."
},
{
"url": "https://blog.kaspersky.com/darkhotel-apt/6613/",
"source_name": "Kaspersky-DarkHotel",
"description": "Alex Drozhzhin. (2014, November 10). Darkhotel: a spy campaign in luxury Asian hotels. Retrieved December 24, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T15:15:18.023Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "network-effects",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3",
"x_mitre_old_attack_id": "MOB-T1068",
"name": "Rogue Wi-Fi Access Points",
"created": "2017-10-25T14:48:21.354Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication(Citation: NIST-SP800153)(Citation: Kaspersky-DarkHotel).",
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1451",
"source_name": "mitre-mobile-attack",
"external_id": "T1451"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-22.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "STA-22"
},
{
"url": "http://www.dos.ny.gov/consumerprotection/scams/att-sim.html",
"source_name": "NYGov-Simswap",
"description": "New York Department of State. (2016, February 12). AT&T SIM-Card Switch Scam. Retrieved August 23, 2016."
},
{
"url": "https://motherboard.vice.com/en_us/article/3ky5a5/criminals-recruit-telecom-employees-sim-swapping-port-out-scam",
"source_name": "Motherboard-Simswap2",
"description": "Lorenzo Franceschi-Bicchierai. (2018, August 3). How Criminals Recruit Telecom Employees to Help Them Hijack SIM Cards. Retrieved August 11, 2018."
},
{
"url": "http://betanews.com/2016/02/12/everything-you-need-to-know-about-sim-swap-scams/",
"source_name": "Betanews-Simswap",
"description": "Alex Cambell. (2016, February 12). Everything you need to know about SIM swap scams. Retrieved December 12, 2016."
},
{
"url": "https://www.theguardian.com/money/2016/apr/16/sim-swap-fraud-mobile-banking-fraudsters",
"source_name": "Guardian-Simswap",
"description": "Miles Brignall. (2016, April 16). Sim-swap fraud claims another mobile banking victim. Retrieved December 12, 2016."
},
{
"url": "https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin",
"source_name": "Motherboard-Simswap1",
"description": "Lorenzo Franceschi-Bicchierai. (2018, July 17). The SIM Hijackers. Retrieved August 11, 2018."
},
{
"url": "https://krebsonsecurity.com/2018/05/t-mobile-employee-made-unauthorized-sim-swap-to-steal-instagram-account/",
"source_name": "Krebs-SimSwap",
"description": "Brian Krebs. (2018, May 18). T-Mobile Employee Made Unauthorized \u2018SIM Swap\u2019 to Steal Instagram Account. Retrieved November 8, 2018."
},
{
"url": "https://techcrunch.com/2017/08/23/i-was-hacked/",
"source_name": "TechCrunch-SimSwap",
"description": "John Biggs. (2017, August 23). I was hacked. Retrieved November 8, 2018."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T14:13:24.168Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "network-effects",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5",
"x_mitre_old_attack_id": "MOB-T1054",
"name": "SIM Card Swap",
"created": "2017-10-25T14:48:20.329Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "An adversary could convince the mobile network operator (e.g. through social networking, forged identification, or insider attacks performed by trusted employees) to issue a new SIM card and associate it with an existing phone number and account (Citation: NYGov-Simswap) (Citation: Motherboard-Simswap2). The adversary could then obtain SMS messages or hijack phone calls intended for someone else (Citation: Betanews-Simswap). \n\nOne use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts, as many online services allow account password resets by sending an authentication code over SMS to a phone number associated with the account (Citation: Guardian-Simswap) (Citation: Motherboard-Simswap1)(Citation: Krebs-SimSwap)(Citation: TechCrunch-SimSwap).",
"x_mitre_tactic_type": [
"Without Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1437",
"source_name": "mitre-mobile-attack",
"external_id": "T1437"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-29"
},
{
"url": "https://securelist.com/mobile-malware-evolution-2013/58335/",
"source_name": "Kaspersky-MobileMalware",
"description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T14:52:45.266Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "command-and-control",
"kill_chain_name": "mitre-mobile-attack"
},
{
"phase_name": "exfiltration",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"x_mitre_old_attack_id": "MOB-T1040",
"name": "Standard Application Layer Protocol",
"created": "2017-10-25T14:48:33.158Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic.\n\nIn the mobile environment, the Google Cloud Messaging (GCM; two-way) and Apple Push Notification Service (APNS; one-way server-to-device) are commonly used protocols on Android and iOS respectively that would blend in with routine device traffic and are difficult for enterprises to inspect. Google reportedly responds to reports of abuse by blocking access to GCM.(Citation: Kaspersky-MobileMalware)",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1441",
"source_name": "mitre-mobile-attack",
"external_id": "T1441"
}
],
"id": "attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881",
"x_mitre_old_attack_id": "MOB-T1044",
"name": "Stolen Developer Credentials or Signing Keys",
"created": "2017-10-25T14:48:05.928Z",
"revoked": true,
"modified": "2018-10-17T01:05:10.700Z",
"type": "attack-pattern",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_version": "1.0"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1474",
"source_name": "mitre-mobile-attack",
"external_id": "T1474"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-6"
},
{
"url": "https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/",
"source_name": "NowSecure-RemoteCode",
"description": "Ryan Welton. (2015, June 15). A Pattern for Remote Code Execution using Arbitrary File Writes and MultiDex Applications. Retrieved December 22, 2016."
},
{
"url": "https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/",
"source_name": "Grace-Advertisement",
"description": "M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved December 22, 2016."
},
{
"url": "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/",
"source_name": "PaloAlto-XcodeGhost1",
"description": "Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2018-10-17T00:14:20.652Z",
"x_mitre_detection": "* Insecure third-party libraries could be detected by application vetting techniques. For example, Google's [App Security Improvement Program](https://developer.android.com/google/play/asi) detects the use of third-party libraries with known vulnerabilities within Android apps submitted to the Google Play Store.\n* Malicious software development tools could be detected by enterprises deploying integrity checking software to the computers that they use to develop code to detect presence of unauthorized, modified software development tools.",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "initial-access",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
"x_mitre_old_attack_id": "MOB-T1077",
"name": "Supply Chain Compromise",
"created": "2018-10-17T00:14:20.652Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "As further described in [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Somewhat related, adversaries could also identify and exploit inadvertently present vulnerabilities. In many cases, it may be difficult to be certain whether exploitable functionality is due to malicious intent or simply inadvertent mistake.\n\nRelated PRE-ATT&CK techniques include:\n\n* [Identify vulnerabilities in third-party software libraries](https://attack.mitre.org/techniques/T1389) - Third-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities. For example, Ryan Welton of NowSecure identified exploitable remote code execution vulnerabilities in a third-party advertisement library (Citation: NowSecure-RemoteCode). Grace et al. identified security issues in mobile advertisement libraries (Citation: Grace-Advertisement).\n* [Distribute malicious software development tools](https://attack.mitre.org/techniques/T1394) - As demonstrated by the XcodeGhost attack (Citation: PaloAlto-XcodeGhost1), app developers could be provided with modified versions of software development tools (e.g. compilers) that automatically inject malicious or exploitable code into applications.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1426",
"source_name": "mitre-mobile-attack",
"external_id": "T1426"
},
{
"url": "https://zeltser.com/third-party-keyboards-security/",
"source_name": "Android-Build",
"description": "Android. (n.d.). Build. Retrieved December 21, 2016."
},
{
"url": "http://stackoverflow.com/questions/7848766/how-can-we-programmatically-detect-which-ios-version-is-device-running-on",
"source_name": "StackOverflow-iOSVersion",
"description": "Stack Overflow. (n.d.). How can we programmatically detect which iOS version is device running on?. Retrieved December 21, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T14:48:12.871Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "discovery",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"x_mitre_old_attack_id": "MOB-T1029",
"name": "System Information Discovery",
"created": "2017-10-25T14:48:19.265Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, and architecture.\n\nOn Android, much of this information is programmatically accessible to applications through the android.os.Build class(Citation: Android-Build).\n\nOn iOS, techniques exist for applications to programmatically access this information(Citation: StackOverflow-iOSVersion).",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1422",
"source_name": "mitre-mobile-attack",
"external_id": "T1422"
},
{
"url": "https://developer.android.com/reference/java/net/NetworkInterface.html",
"source_name": "NetworkInterface",
"description": "Android. (n.d.). NetworkInterface. Retrieved December 21, 2016."
},
{
"url": "https://developer.android.com/reference/android/telephony/TelephonyManager.html",
"source_name": "TelephonyManager",
"description": "Android. (n.d.). TelephonyManager. Retrieved December 21, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-01T19:35:03.596Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android"
],
"kill_chain_phases": [
{
"phase_name": "discovery",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"x_mitre_old_attack_id": "MOB-T1025",
"name": "System Network Configuration Discovery",
"created": "2017-10-25T14:48:32.740Z",
"x_mitre_version": "2.0",
"type": "attack-pattern",
"description": "On Android, details of onboard network interfaces are accessible to apps through the java.net.NetworkInterface class (Citation: NetworkInterface). The Android TelephonyManager class can be used to gather related information such as the IMSI, IMEI, and phone number (Citation: TelephonyManager).",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1421",
"source_name": "mitre-mobile-attack",
"external_id": "T1421"
},
{
"url": "https://play.google.com/store/apps/details?id=com.antispycell.connmonitor&hl=en",
"source_name": "ConnMonitor",
"description": "Anti Spy Mobile. (2016, March 14). Network Connections. Retrieved December 21, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-01T19:34:17.460Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android"
],
"kill_chain_phases": [
{
"phase_name": "discovery",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
"x_mitre_old_attack_id": "MOB-T1024",
"name": "System Network Connections Discovery",
"created": "2017-10-25T14:48:33.574Z",
"x_mitre_version": "2.0",
"type": "attack-pattern",
"description": "On Android, applications can use standard APIs to gather a list of network connections to and from the device. For example, the Network Connections app available in the Google Play Store (Citation: ConnMonitor) advertises this functionality.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1415",
"source_name": "mitre-mobile-attack",
"external_id": "T1415"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "AUT-10"
},
{
"url": "https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html",
"source_name": "FireEye-Masque2",
"description": "Hui Xue, Tao Wei, Yulong Zhang, Song Jin, Zhaofeng Chen. (2015, February 19). IOS MASQUE ATTACK REVIVED: BYPASSING PROMPT FOR TRUST AND APP URL SCHEME HIJACKING. Retrieved December 21, 2016."
},
{
"url": "http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html",
"source_name": "Dhanjani-URLScheme",
"description": "Nitesh Dhanjani. (2010, November 8). Insecure Handling of URL Schemes in Apple\u2019s iOS. Retrieved December 21, 2016."
},
{
"url": "https://tools.ietf.org/html/rfc7636",
"source_name": "IETF-PKCE",
"description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016."
},
{
"url": "https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures",
"source_name": "MobileIron-XARA",
"description": "Michael T. Raggo. (2015, October 1). iOS URL Scheme Hijacking (XARA) Attack Analysis and Countermeasures. Retrieved December 21, 2016."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T17:03:45.255Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "credential-access",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e",
"x_mitre_old_attack_id": "MOB-T1018",
"name": "URL Scheme Hijacking",
"created": "2017-10-25T14:48:17.533Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application(Citation: FireEye-Masque2)(Citation: Dhanjani-URLScheme). This technique, for example, could be used to capture OAuth authorization codes(Citation: IETF-PKCE) or to phish user credentials(Citation: MobileIron-XARA).",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1411",
"source_name": "mitre-mobile-attack",
"external_id": "T1411"
},
{
"url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html",
"source_name": "NIST Mobile Threat Catalogue",
"external_id": "APP-31"
},
{
"url": "http://w2spconf.com/2011/papers/felt-mobilephishing.pdf",
"source_name": "Felt-PhishingOnMobileDevices",
"description": "A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016."
},
{
"url": "https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/",
"source_name": "eset-finance",
"description": "Lukas Stefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018."
},
{
"source_name": "Hassell-ExploitingAndroid",
"description": "R. Hassell. (2011, October 12-13). Exploiting Androids for Fun and Profit. Retrieved August 25, 2016."
},
{
"url": "https://developer.android.com/reference/android/app/ActivityManager.html#getRunningTasks%28int%29",
"source_name": "Android-getRunningTasks",
"description": "Android. (n.d.). ActivityManager getRunningTasks documentation. Retrieved January 19, 2017."
},
{
"url": "http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packag",
"source_name": "StackOverflow-getRunningAppProcesses",
"description": "Various. (n.d.). Android 5.1.1 and above - getRunningAppProcesses() returns my application package only. Retrieved January 19, 2017."
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-03T14:40:46.177Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "credential-access",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"x_mitre_old_attack_id": "MOB-T1014",
"name": "User Interface Spoofing",
"created": "2017-10-25T14:48:34.407Z",
"x_mitre_version": "1.1",
"type": "attack-pattern",
"description": "User Interface Spoofing can be used to trick users into providing sensitive information, such as account credentials, bank account information, or Personally Identifiable Information (PII) to an unintended entity.\n\n### Impersonate User Interface of Legitimate App or Device Function\n\nOn both Android and iOS, an adversary could impersonate the user interface of a legitimate app or device function to trick a user into entering sensitive information. The constrained display size of mobile devices (compared to traditional PC displays) may impair the ability to provide the user with contextual information (for example, displaying a full web site address) that may alert the user to a potential issue. (Citation: Felt-PhishingOnMobileDevices) As described by PRE-ATT&CK ([Spearphishing for Information](https://attack.mitre.org/techniques/T1397)), it is also possible for an adversary to carry out this form of the technique without a direct adversary presence on the mobile devices, e.g. through a spoofed web page.\n\n### Impersonate Identity of Legitimate App\n\nOn both Android and iOS, a malicious app could impersonate the identity of another app (e.g. use the same app name and/or icon) and somehow get installed on the device (e.g. using [Deliver Malicious App via Authorized App Store](https://attack.mitre.org/techniques/T1475) or [Deliver Malicious App via Other Means](https://attack.mitre.org/techniques/T1476)). The malicious app could then prompt the user for sensitive information. (Citation: eset-finance)\n\n### Abuse OS Features to Interfere with Legitimate App\n\nOn older versions of Android, a malicious app could abuse mobile operating system features to interfere with a running legitimate app. (Citation: Felt-PhishingOnMobileDevices) (Citation: Hassell-ExploitingAndroid) However, this technique appears to have been addressed starting in Android 5.0 with the deprecation of the Android's ActivityManager.getRunningTasks method and modification of its behavior (Citation: Android-getRunningTasks) and further addressed in Android 5.1.1 (Citation: StackOverflow-getRunningAppProcesses) to prevent a malicious app from determining what app is currently in the foreground.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1481",
"source_name": "mitre-mobile-attack",
"external_id": "T1481"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-01T17:29:43.503Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android",
"iOS"
],
"kill_chain_phases": [
{
"phase_name": "command-and-control",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380",
"name": "Web Service",
"created": "2019-02-01T17:29:43.503Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system.\n\nThese commands may also include pointers to command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.\n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"external_references": [
{
"url": "https://attack.mitre.org/techniques/T1447",
"source_name": "mitre-mobile-attack",
"external_id": "T1447"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-07-19T17:44:53.176Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Android"
],
"kill_chain_phases": [
{
"phase_name": "impact",
"kill_chain_name": "mitre-mobile-attack"
}
],
"id": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
"x_mitre_old_attack_id": "MOB-T1050",
"name": "Wipe Device Data",
"created": "2017-10-25T14:48:31.694Z",
"x_mitre_version": "1.0",
"type": "attack-pattern",
"description": "A malicious application could abuse Android device administrator access to wipe device contents, for example if a ransom is not paid.",
"x_mitre_tactic_type": [
"Post-Adversary Device Access"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
},
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--ab7cd212-7faa-46a8-9666-92a67ae7a6b0",
"created": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--681d5e61-9412-4c58-bef1-c6ef7bffcb0c",
"created": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--24bcb2cd-1532-4e98-a485-a55e06d2577d",
"created": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--f157970b-4782-46d0-abdd-000ae6eea14b",
"created": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--0a28b2f2-ca0e-4d9f-9840-26e8ce944012",
"created": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--a7cc0168-247d-4a6d-b6f4-d5a04f99216c",
"created": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--cc49561f-8364-4908-9111-ad3a6dcd922c",
"created": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--c3c2bf20-fa33-4af4-92ec-d60679e1d4ee",
"created": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--7e00d3ac-a97a-4db0-9699-7474d81413a8",
"created": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--3ae62d66-6405-413f-86e3-ccdb66fac7ba",
"created": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--ac53e382-a140-4bbf-a59d-db3fe21acfaa",
"created": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--01965668-d033-4aca-a8e5-71a07070e266",
"created": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--79f04c05-8299-4e5e-b4c1-3f82637fa47a",
"created": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--c53170a0-ca7f-4827-9c3c-1803ecd131f9",
"created": "2018-10-17T00:14:20.652Z",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--6186ed87-69a1-43e7-bb60-76527d287e31",
"created": "2019-04-29T19:35:31.074Z",
"modified": "2019-04-29T19:35:31.074Z",
"type": "relationship",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"source_ref": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests SMS and MMS messages from victims..",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--f4e4c3ae-4c4d-4eba-8330-022464cbf828",
"external_references": [
{
"source_name": "PaloAlto-SpyDealer",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to record calls as well as the victim device's environment.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--afc0f502-39bb-41e3-b4fc-5b5bb1a1175b",
"external_references": [
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "iOS 10.3 and higher add an additional step for users to install new trusted CA certificates to make it more difficult to trick users into installing them. On Android, apps that target compatibility with Android 7 and higher (API Level 24) default to only trusting CA certificates that are bundled with the operating system, not CA certificates that are added by the user or administrator, hence decreasing their susceptibility to successful man-in-the-middle attack.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--fe3ac79b-8bd2-4d95-805c-6a38de402add",
"external_references": [
{
"source_name": "Symantec-iOSProfile2",
"description": "Brian Duckering. (2017, March 27). Apple iOS 10.3 Finally Battles Malicious Profiles. Retrieved September 24, 2018.",
"url": "https://www.symantec.com/connect/blogs/apple-ios-103-finally-battles-malicious-profiles"
},
{
"source_name": "Android-TrustedCA",
"description": "Chad Brubaker. (2016, July 7). Changes to Trusted Certificate Authorities in Android Nougat. Retrieved September 24, 2018.",
"url": "https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Starting in Android 6.0, applications can no longer access MAC addresses of network interfaces.",
"type": "relationship",
"created": "2017-10-25T14:48:53.746Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--554ec347-c8b2-43da-876b-36608dcc543d",
"external_references": [
{
"source_name": "Android60Changes",
"description": "Android. (n.d.). Android 6.0 Changes. Retrieved December 21, 2016.",
"url": "https://developer.android.com/about/versions/marshmallow/android-6.0-changes.html#behavior-hardware-id"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Enterprise policies should prevent enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development).",
"type": "relationship",
"created": "2017-10-25T14:48:53.742Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.745Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--ef7f8f51-6aea-4f5c-9c96-f353a14cf062",
"source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is auto-rooting adware that embeds itself as a system application, making it nearly impossible to remove.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--18afa4ad-4fd7-47ad-acdb-3b298b640d3c",
"external_references": [
{
"source_name": "Lookout-Adware",
"description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--c80a6bef-b3ce-44d0-b113-946e93124898",
"relationship_type": "uses",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) can perform GPS location tracking as well as capturing coordinates as when an SMS message or call is received.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--f7c5c344-4310-4e2a-a5aa-133f3d132fff",
"external_references": [
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[XcodeGhost](https://attack.mitre.org/software/S0297) was injected into apps by a modified version of Xcode (Apple's software development tool).",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--6885280e-5423-422a-94f1-e91d557e043e",
"external_references": [
{
"source_name": "PaloAlto-XcodeGhost1",
"description": "Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/"
},
{
"source_name": "PaloAlto-XcodeGhost",
"description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9",
"relationship_type": "uses",
"target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "On Android, applications must request the ACCESS_COARSE_LOCATION or ACCESS_FINE_LOCATION permission to access the device's physical location. Extra scrutiny could be given to applications that request these permissions. On iOS, calls to the relevant APIs could be detected during the vetting process.",
"type": "relationship",
"created": "2017-10-25T14:48:53.737Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--d22dc053-24a7-4a5b-ae51-8a626569ec9b",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2019-07-03T20:25:14.031Z",
"type": "relationship",
"id": "relationship--4d2d892c-9d3a-445c-b9bf-1eab45703dcc",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created": "2017-10-25T14:48:53.740Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps.",
"type": "relationship",
"created": "2017-10-25T14:48:53.747Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--634e2691-341f-4e5b-83e7-e28369d88c64",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Adups](https://attack.mitre.org/software/S0309) transmitted contact lists.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--a8079e6a-ef87-4e3b-9f71-cf1ea2360892",
"external_references": [
{
"source_name": "NYTimes-BackDoor",
"description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.",
"url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
"relationship_type": "uses",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Charger](https://attack.mitre.org/software/S0323) encodes strings into binary arrays to make it difficult to inspect them. It also loads code from encrypted resources dynamically and includes meaningless commands that mask the actual commands passing through.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--bee6407a-1f05-4f91-b6e7-a8f8b58fa421",
"external_references": [
{
"source_name": "CheckPoint-Charger",
"description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.",
"url": "http://blog.checkpoint.com/2017/01/24/charger-malware/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950",
"relationship_type": "uses",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) was placed in a repackaged version of an application used by Ukrainian artillery forces.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--efcfe1a3-3351-4b4f-ae36-101f103b4798",
"external_references": [
{
"source_name": "CrowdStrike-Android",
"description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.",
"url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--56660521-6db4-4e5a-a927-464f22954b7c",
"relationship_type": "uses",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Skygofree](https://attack.mitre.org/software/S0327) can be controlled via binary SMS.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--bc0d2cbb-30fa-40e6-a250-bf6e5d8f9005",
"external_references": [
{
"source_name": "Kaspersky-Skygofree",
"description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.",
"url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
"relationship_type": "uses",
"target_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) checks if the device is on Wi-Fi, a cellular network, and is roaming.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--db3fc82d-d353-438d-aa5e-9b5e7e60f0ac",
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Starting in Android 4.1, this technique requires privilege escalation for malicious applications to perform, as apps can no longer access the system log (other than log entries added by a particular app itself). (Additionally, with physical access to the device, the system log could be accessed via USB through the Android Debug Bridge.)",
"type": "relationship",
"created": "2017-10-25T14:48:53.739Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--c761ed82-24cc-4c40-94ef-c4d0f4d1cd7a",
"external_references": [
{
"source_name": "Android-ReadLogs",
"description": "Dianne Hackborn. (2012, July 12). Re: READ_LOGS permission is not granted to 3rd party applications in Jelly Bean (api 16). Retrieved December 21, 2016.",
"url": "https://groups.google.com/d/msg/android-developers/6U4A5irWang/AvZsrTdfICIJ"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[WireLurker](https://attack.mitre.org/software/S0312) monitors for iOS devices connected via USB to an infected OSX computer and installs downloaded third-party applications or automatically generated malicious applications onto the device.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--0791f28b-d06f-4fee-9cdb-85a6fd2eed61",
"external_references": [
{
"source_name": "PaloAlto-WireLurker",
"description": "Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb",
"relationship_type": "uses",
"target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Enterprises could potentially vet apps before allowing their use on devices, and carefully scrutinize apps that declare a BroadcastReceiver containing an intent-filter for BOOT_COMPLETED. Unfortunately this is likely not practical due to the vast number of apps with this behavior.",
"type": "relationship",
"id": "relationship--8e94da58-86b7-4a45-886e-6da58828eacd",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created": "2017-10-25T14:48:53.745Z",
"modified": "2019-06-18T13:39:55.439Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.741Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--6d8ea31a-da35-442a-8e0d-1d0c0dcdf14b",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Both iOS and Android require the user to explicitly authorize use of third party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.",
"type": "relationship",
"created": "2017-10-25T14:48:53.744Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--7b899be0-4a9c-4e52-aeab-d8acedfe26d0",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Application-layer encryption (e.g. use of the Transport Layer Security protocol) or a Virtual Private Network (VPN) tunnel (e.g. using the IPsec protocol) may help mitigate use of untrusted Wi-Fi networks.",
"type": "relationship",
"created": "2017-10-25T14:48:53.741Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--4df969b3-f5a0-4802-b87e-a458e3e439ed",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Adups](https://attack.mitre.org/software/S0309) transmitted location information.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--8ed14c81-0b30-4bfc-8552-439aa0e920c3",
"external_references": [
{
"source_name": "NYTimes-BackDoor",
"description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.",
"url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) collects the device's location.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--0f7e7c29-43f0-4aff-ae83-dfff331915ef",
"external_references": [
{
"source_name": "Zscaler-SpyNote",
"description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.",
"url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) was delivered via an SMS message containing a link to a web site with malicious code.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--34cd9b65-70c5-4be4-958c-32dc4673934c",
"external_references": [
{
"source_name": "PegasusCitizenLab",
"description": "Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group\u2019s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.",
"url": "https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Gooligan](https://attack.mitre.org/software/S0290) steals authentication tokens that can be used to access data from multiple Google applications.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--a25d58af-dbb3-4025-b91d-898c6adffcb3",
"external_references": [
{
"source_name": "Gooligan Citation",
"description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.",
"url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de",
"relationship_type": "uses",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RuMMS](https://attack.mitre.org/software/S0313) gathers the device phone number and IMEI and transmits them to a command and control server.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--3c291ee5-1782-4e5b-8131-5188c7388f45",
"external_references": [
{
"source_name": "FireEye-RuMMS",
"description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
"relationship_type": "uses",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) uses an Android broadcast receiver to automatically start when the device boots.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--0008005f-ca51-47c3-8369-55ee5de1c65a",
"external_references": [
{
"source_name": "Zscaler-SpyNote",
"description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.",
"url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"relationship_type": "uses",
"target_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[XcodeGhost](https://attack.mitre.org/software/S0297) can read and write data in the user\u2019s clipboard.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--2de76a24-ec87-4808-b0d3-b84d318ac22c",
"external_references": [
{
"source_name": "PaloAlto-XcodeGhost",
"description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9",
"relationship_type": "uses",
"target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.737Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--2388ba94-8e49-40d0-a697-eea948e6cfb6",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--a0464539-e1b7-4455-a355-12495987c300",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.738Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--8ccfab20-58cf-4af6-9fb0-6bbf59258ac9",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Encourage users to protect their account credentials and to enable available multi-factor authentication options.",
"type": "relationship",
"created": "2017-10-25T14:48:53.740Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--2bd272ca-8a14-42cd-9664-6cc6f7451e42",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) gathers contacts from the system by dumping the victim's address book.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--7baa3cab-c4f8-4b91-a6c3-189ad7a6416c",
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Application vetting techniques could search for use of the Android PackageManager class to enumerate other apps, and such applications could have extra scrutiny applied to them. However, this technique may not be practical if many apps invoke these methods as part of their legitimate behavior. On iOS, application vetting techniques could similarly search for use of the private API call necessary to obtain a list of apps installed on the device. Additionally, on iOS, use of the private API call is likely to result in the app not being accepted into Apple's App Store.",
"type": "relationship",
"created": "2017-10-25T14:48:53.744Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--5b14149e-09f1-4d38-82bc-0ff3cff8b650",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Decrease likelihood of successful privilege escalation attack.",
"type": "relationship",
"created": "2017-10-25T14:48:53.736Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--b28c1e81-4f78-4e40-9899-2872cdbcceba",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Application-layer encryption (e.g. use of the Transport Layer Security protocol) or a Virtual Private Network (VPN) tunnel (e.g. using the IPsec protocol) may help mitigate weaknesses in the cellular network encryption.",
"type": "relationship",
"created": "2017-10-25T14:48:53.741Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--690111d3-c281-4d55-a7ed-73b8dab72a85",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Application vetting could be used to analyze applications to determine whether they access this information, including determining whether the application requests the Android ACCESS_NETWORK_STATE permission (required in order to access NetworkInterface information) or the READ_PHONE_STATE permission (required in order to access TelephonyManager information).",
"type": "relationship",
"created": "2017-10-25T14:48:53.747Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--513c05e2-afc6-4d1b-8a8e-6d6935a8626f",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) reportedly contained an simple backdoor that could be used to obtain root access. It was believed to have been left in the kernel by mistake by the authors.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--b81ba10a-73c2-4616-a8bc-eeb422e1c5ea",
"external_references": [
{
"source_name": "HackerNews-Allwinner",
"description": "Mohit Kumar. (2016, May 11). Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker. Retrieved September 18, 2018.",
"url": "https://thehackernews.com/2016/05/android-kernal-exploit.html"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--08784a9d-09e9-4dce-a839-9612398214e8",
"relationship_type": "uses",
"target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[AndroRAT](https://attack.mitre.org/software/S0292) captures SMS messages.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--980c49f8-d991-4e1f-8feb-6173e3dfca1f",
"external_references": [
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Application developers should be discouraged from writing sensitive data to the system log in production apps.",
"type": "relationship",
"created": "2017-10-25T14:48:53.739Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--fab8c40d-b934-4ee0-8e83-f017af2e347a",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Judy](https://attack.mitre.org/software/S0325) bypasses Google Play's protections by downloading a malicious payload at runtime after installation.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--81fb62ac-ba04-48d2-8817-52d0652f61a0",
"external_references": [
{
"source_name": "CheckPoint-Judy",
"description": "CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018.",
"url": "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--172444ab-97fc-4d94-b142-179452bfb760",
"relationship_type": "uses",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses calendar entries.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--a7b276ac-6f07-4d1f-8d24-dc5682acf62d",
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can collect passwords for Wi-Fi networks and online accounts, including Skype, Facebook, Twitter, Google, WhatsApp, Mail, and LinkedIn.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--4088b31b-d542-4935-84b4-82b592159591",
"external_references": [
{
"source_name": "TrendMicro-RCSAndroid",
"description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"relationship_type": "uses",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads contact lists for various third-party applications such as Yahoo, AIM, GoogleTalk, Skype, QQ, and others.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--a2323d47-348c-4e3c-9c25-7feb20e2e457",
"external_references": [
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"relationship_type": "uses",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is packed with at least eight publicly available exploits that can perform rooting.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--f0851531-e554-4658-920c-f2342632c19a",
"external_references": [
{
"source_name": "Lookout-Adware",
"description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--c80a6bef-b3ce-44d0-b113-946e93124898",
"relationship_type": "uses",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads SMS logs and deletes incoming messages from specified numbers, including those that contain particular strings.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--fb6458b0-01b8-4c3f-b0f2-ef5d5bd9f6a8",
"external_references": [
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "App vetting procedures can search for apps that use the android.os.Build class, but these procedures could potentially be evaded and are likely not practical in this case, as many apps are likely to use this functionality as part of their legitimate behavior.",
"type": "relationship",
"created": "2017-10-25T14:48:53.744Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--05c87985-4f8a-4a38-b1cd-ab01f0a628ed",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Typically, insecure or malicious configuration settings are not installed without the user's consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning).",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--45a48a16-66ba-444e-89d2-61c163b956da",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "This mitigation may not always be effective depending on the method used to encrypt network traffic. In some cases, an adversary may be able to capture traffic before it is encrypted.",
"type": "relationship",
"created": "2017-10-25T14:48:53.737Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--ee0afd88-a0fc-4b1d-b047-9b9bf04d36fe",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Dendroid](https://attack.mitre.org/software/S0301) can take pictures using the phone\u2019s camera as well as record audio and video.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--ed06f5dc-9d02-4896-a0a3-2f457c64f125",
"external_references": [
{
"source_name": "Lookout-Dendroid",
"description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.",
"url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[DroidJack](https://attack.mitre.org/software/S0320) included code from the legitimate Pokemon GO app in order to appear identical to the user, but it also included additional malicious code.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--5f82db63-d7c2-43c7-a056-3cf718201ced",
"external_references": [
{
"source_name": "Proofpoint-Droidjack",
"description": "Proofpoint. (2016, July 7). DroidJack Uses Side-Load\u2026It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017.",
"url": "https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
"relationship_type": "uses",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.744Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--b5097495-f417-46ed-88e2-02cba2371936",
"source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--393e8c12-a416-4575-ba90-19cc85656796",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses contact list information.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--e84ad4b0-9f7a-48a5-89ae-33804b11eb56",
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RedDrop](https://attack.mitre.org/software/S0326) tricks the user into sending SMS messages to premium services and then deletes those messages.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--35c67a18-7e8d-4bd5-9fe1-35b1ac3f401f",
"external_references": [
{
"source_name": "Wandera-RedDrop",
"description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.",
"url": "https://www.wandera.com/reddrop-malware/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
"relationship_type": "uses",
"target_ref": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Skygofree](https://attack.mitre.org/software/S0327) has the capability to exploit several known vulnerabilities and escalate privileges.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--dfe6d454-1a24-4c42-97eb-4ddfd1dbb09b",
"external_references": [
{
"source_name": "Kaspersky-Skygofree",
"description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.",
"url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
"relationship_type": "uses",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Xbot](https://attack.mitre.org/software/S0298) steals all SMS message and contact information as well as intercepts and parses certain SMS messages.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--833b4c44-7370-4b27-b9b2-a058c27dcf8c",
"external_references": [
{
"source_name": "PaloAlto-Xbot",
"description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[AndroRAT](https://attack.mitre.org/software/S0292) gathers audio from the microphone.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--b4180067-52b6-4109-91df-52fd9a7ed2e8",
"external_references": [
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) uses SMS for command and control.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--4f2ae057-ef0b-4995-b24d-348a76a74a4f",
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RuMMS](https://attack.mitre.org/software/S0313) uploads incoming SMS messages to a remote command and control server.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--29dc105c-0b1b-4645-85ef-436c096bd3e2",
"external_references": [
{
"source_name": "FireEye-RuMMS",
"description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) exfiltrated data, including sensitive letters/documents, stored photos, and stored audio files.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--fb5c6c5e-53d4-4bb9-b9cf-74170058b19b",
"external_references": [
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"relationship_type": "uses",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[XLoader](https://attack.mitre.org/software/S0318) loads an encrypted DEX code payload.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--a5b72279-f99e-4f03-8669-04322b40ee6b",
"external_references": [
{
"source_name": "TrendMicro-XLoader",
"description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
"relationship_type": "uses",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Users should be advised not to use public charging stations or computers to charge their devices. Instead, users should be issued a charger acquired from a trustworthy source. Users should be advised not to click on device prompts to trust attached computers unless absolutely necessary.",
"type": "relationship",
"created": "2017-10-25T14:48:53.742Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--95f4db59-e0b4-4c1b-b888-1fc76b21e8c0",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--b2c61294-707f-4735-8874-e36ed6c1ff47",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Charger](https://attack.mitre.org/software/S0323) checks the local settings of the device and does not run its malicious logic if the device is located in Ukraine, Russia, or Belarus.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--85c7e956-3ce5-4495-b52e-385ae2ee4f9b",
"external_references": [
{
"source_name": "CheckPoint-Charger",
"description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.",
"url": "http://blog.checkpoint.com/2017/01/24/charger-malware/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RedDrop](https://attack.mitre.org/software/S0326) contains malicious embedded files, which are compiled to initiate the malicious functionality.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--2979b822-3f0e-4cd6-b2dc-ea6da72008ed",
"external_references": [
{
"source_name": "Wandera-RedDrop",
"description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.",
"url": "https://www.wandera.com/reddrop-malware/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
"relationship_type": "uses",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests phone number IMEI, and IMSI.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--f6a451e8-2125-4bbe-be52-e682523cd169",
"external_references": [
{
"source_name": "PaloAlto-SpyDealer",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads call logs.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--51457698-e98b-435a-88c2-75a82cdc2bda",
"external_references": [
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"relationship_type": "uses",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Xbot](https://attack.mitre.org/software/S0298) can remotely lock infected Android devices and ask for a ransom.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--1218ed50-bd44-4f37-baba-1aae998b5a1f",
"external_references": [
{
"source_name": "PaloAlto-Xbot",
"description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4",
"relationship_type": "uses",
"target_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.741Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--b2b31911-5b7e-4df3-89c6-00b5b372fb4f",
"source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Enterprise policies could be provisioned to devices to control the Wi-Fi access points that they are allowed to connect to.",
"type": "relationship",
"created": "2017-10-25T14:48:53.741Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--cda9f3cf-01e4-41b3-8e45-4dda9fe5eb30",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Android Overlay Malware](https://attack.mitre.org/software/S0296) used view overlay techniques to present credential input UIs to trick users into providing their banking credentials.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--3faed885-6a3d-444f-8e57-fd8818abb1cc",
"external_references": [
{
"source_name": "FireEye-AndroidOverlay",
"description": "Wu Zhou et al. (2016, June 28). THE LATEST ANDROID OVERLAY MALWARE SPREADING VIA SMS PHISHING IN EUROPE. Retrieved December 21, 2016.",
"url": "https://www.fireeye.com/blog/threat-research/2016/06/latest-android-overlay-malware-spreading-in-europe.html"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--b6d3657a-2d6a-400f-8b7e-4d60391aa1f7",
"relationship_type": "uses",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Gooligan](https://attack.mitre.org/software/S0290) executes Android root exploits.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--aa8e45c2-4276-451b-b1eb-59c396bf720a",
"external_references": [
{
"source_name": "Gooligan Citation",
"description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.",
"url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de",
"relationship_type": "uses",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) uses Google Cloud Messaging (GCM) for command and control.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--54151897-cc7e-4f92-af50-bed41ea78d92",
"external_references": [
{
"source_name": "Kaspersky-MobileMalware",
"description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.",
"url": "https://securelist.com/mobile-malware-evolution-2013/58335/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--28e39395-91e7-4f02-b694-5e079c964da9",
"relationship_type": "uses",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RuMMS](https://attack.mitre.org/software/S0313) is delivered via an SMS message containing a link to an APK (Android application package).",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--bbf13431-c3d2-4800-aada-273b3a47dcba",
"external_references": [
{
"source_name": "FireEye-RuMMS",
"description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
"relationship_type": "uses",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) update and sends the location of the phone.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--94040d2e-3f60-423c-8a93-a83b61cafe7d",
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) registers the broadcast receiver to listen for events related to device boot-up.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--e4019493-bd52-4011-9355-8902be6ff3f3",
"external_references": [
{
"source_name": "PaloAlto-SpyDealer",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[ZergHelper](https://attack.mitre.org/software/S0287) attempts to extend its capabilities via dynamic updating of its code.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--d54bdaff-8eb8-4a02-9f64-bc33c892e9d1",
"external_references": [
{
"source_name": "Xiao-ZergHelper",
"description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0",
"relationship_type": "uses",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Android and iOS provide hardware-backed capabilities to store credentials in an isolated location where they are less likely to be compromised even in the case of a successful privilege escalation attack against the operating system.",
"type": "relationship",
"created": "2017-10-25T14:48:53.738Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--be2895e2-7e1d-4467-8b6a-ac06b17ce0bb",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--d2a199d2-dfea-4d0c-987d-6195ed17be9c",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Application vetting may be able to identify the presence of exploit code within applications.",
"type": "relationship",
"created": "2017-10-25T14:48:53.745Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--5f6f5913-cade-4b14-aa96-5a921b0927a7",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Application vetting techniques can scan for use of cleartext communication, insecure TrustManager implementations, and other potential network communication weaknesses. The Google Play Store now automatically assesses submitted applications for insecure TrustManager implementations.",
"type": "relationship",
"created": "2017-10-25T14:48:53.743Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--6f1cadef-283b-466b-bfa2-0cb51edf88f7",
"external_references": [
{
"source_name": "Google-TrustManager",
"description": "Google. (n.d.). How to fix apps containing an unsafe implementation of TrustManager. Retrieved December 24, 2016.",
"url": "https://support.google.com/faqs/answer/6346016?hl=en"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "On Android, applications must request the RECORD_AUDIO permission to access the microphone and the CAMERA permission to access the camera. Extra scrutiny could be given to applications that request these permissions. On iOS, calls to the relevant APIs could be detected during the vetting process.",
"type": "relationship",
"created": "2017-10-25T14:48:53.737Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--50986206-ad56-4dea-baed-846545fb2f5a",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.740Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--62480750-2218-4ea0-b168-b9035b9ee998",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) was delivered via a spearphishing message containing a malicious Android application as an attachment.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--f0a81b31-97ce-403b-90e9-7a910a93a31f",
"external_references": [
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"relationship_type": "uses",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can activate the victim's microphone.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--bf2ea132-c8f3-4ea0-8c4c-bdc95923c3b1",
"external_references": [
{
"source_name": "Zscaler-SpyNote",
"description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.",
"url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) captures call logs.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--34351abd-1f58-420a-a893-ad822839815d",
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[MazarBOT](https://attack.mitre.org/software/S0303) can intercept two-factor authentication codes sent by online banking apps.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--721cc30c-74cf-4eed-89a8-7a8e63e6c0e1",
"external_references": [
{
"source_name": "Tripwire-MazarBOT",
"description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.",
"url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "On Android, accessing device calendar data requires that the app hold the READ_CALENDAR permission. Apps that request this permission could be closely scrutinized to ensure that the request is appropriate. On iOS, the app vetting process can determine whether apps access device calendar data, with extra scrutiny applied to any that do so.",
"type": "relationship",
"created": "2017-10-25T14:48:53.741Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--85328449-c231-444d-905a-2988c14d3e82",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather SMS messages.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--0569a1e0-1eb5-4e87-ae09-b698571012ef",
"external_references": [
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Xbot](https://attack.mitre.org/software/S0298) uses phishing pages mimicking Google Play's payment interface as well as bank login pages.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--1cca5e17-80ae-4b6e-8919-2768153aa966",
"external_references": [
{
"source_name": "PaloAlto-Xbot",
"description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4",
"relationship_type": "uses",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Android 7 provides stronger default file permissions over application internal data storage directories, decreasing the likelihood that insecure file permissions can be exploited.",
"type": "relationship",
"created": "2017-10-25T14:48:53.738Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--3ebcd3d8-dd8e-4cc9-8087-ce9e93df6f56",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[ZergHelper](https://attack.mitre.org/software/S0287) apparently evaded Apple's app review process by performing different behaviors for users from different physical locations (e.g. performing differently for users in China versus outside of China), which could have bypassed the review process depending on the country from which it was performed.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--f8277cd5-b14a-4b59-9f29-8ce24dfbdf5e",
"external_references": [
{
"source_name": "Xiao-ZergHelper",
"description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0",
"relationship_type": "uses",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) downloads and executes root exploits from a remote server.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--6b41d649-bcd0-4427-baa1-15a145bace6e",
"external_references": [
{
"source_name": "PaloAlto-SpyDealer",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can use SMS for command and control.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--8cb42e3d-69f4-4b0d-98c9-0bb7560947c1",
"external_references": [
{
"source_name": "TrendMicro-RCSAndroid",
"description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"relationship_type": "uses",
"target_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.738Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--a4b53160-fdb8-4cab-90cc-ad12ab13a8a0",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "It is rare for applications to utilize Device Administrator access. App vetting can detect apps that do so, and those apps should be closely scrutinized. Maggi and Zanero describe a static analysis approach that can be used to identify ransomware apps including apps that abuse Device Administrator access.",
"type": "relationship",
"created": "2017-10-25T14:48:53.745Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--4a697724-4457-436b-97ad-9d6f445fb6b0",
"external_references": [
{
"source_name": "Maggi-Ransomware",
"description": "Federico Maggi and Stefano Zanero. (2016). Pocket-Sized Badness - Why Ransomware Comes as a Plot Twist in the Cat-Mouse Game. Retrieved December 21, 2016.",
"url": "https://www.blackhat.com/docs/eu-16/materials/eu-16-Maggi-Pocket-Sized-Badness-Why-Ransomware-Comes-As-A-Plot-Twist-In-The-Cat-Mouse-Game.pdf"
}
],
"modified": "2019-02-03T16:56:41.477Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Encourage developers to protect their account credentials and enable multi-factor authentication if available. Encourage developers to protect their signing keys.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--a3dab73a-0af2-44c3-ba33-9b20133ae5cf",
"modified": "2019-02-03T17:31:51.751Z",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Increase difficulty of escalating privileges, as security architecture improvements in each new version of Android and iOS make it more difficult to escalate privileges. Additionally, newer versions of Android have strengthened the sandboxing applied to applications, restricting their ability to enumerate file system contents.",
"type": "relationship",
"created": "2017-10-25T14:48:53.741Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--7260c8fe-6b3b-48a2-889f-f329fb5b4ef0",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) used HTTP uploads to a URL as a command and control mechanism.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--3b0cb886-dabc-4622-b91f-3851e2a71bf2",
"external_references": [
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"relationship_type": "uses",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[BrainTest](https://attack.mitre.org/software/S0293) stores a secondary Android app package (APK) in its assets directory in encrypted form, and decrypts the payload at runtime.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--78cc0d6d-6347-45a4-a18c-ca76150aa7a9",
"external_references": [
{
"source_name": "Lookout-BrainTest",
"description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
"relationship_type": "uses",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "On Android, accessing the device call log requires that the app hold the READ_CALL_LOG permission. Apps that request this permission could be closely scrutinized to ensure that the request is appropriate.",
"type": "relationship",
"created": "2017-10-25T14:48:53.736Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--69d6f3fc-17ea-4a32-b4dd-a006c75362d6",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "In July 2016, [HummingBad](https://attack.mitre.org/software/S0322) generated more than $300,000 per month in revenue from installing fraudulent apps and displaying malicious advertisements.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--ac523dfb-36be-4402-acf2-abe98e183eef",
"external_references": [
{
"source_name": "ArsTechnica-HummingBad",
"description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.",
"url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--c8770c81-c29f-40d2-a140-38544206b2b4",
"relationship_type": "uses",
"target_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) listens for the BOOT_COMPLETED broadcast intent in order to maintain persistence and activate its functionality at device boot time.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--19df76ee-fa85-43cf-96ce-422d46f29a13",
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RedDrop](https://attack.mitre.org/software/S0326) exfiltrates IMEI, IMSI, MNC, MCC, nearby WiFi networks, and other device and SIM related info.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--c9b3d86a-9c5e-4fe3-9c1c-dbd0bb89a74b",
"external_references": [
{
"source_name": "Wandera-RedDrop",
"description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.",
"url": "https://www.wandera.com/reddrop-malware/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
"relationship_type": "uses",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather GPS coordinates.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--7accde36-cb29-43c6-8c66-6486efd867a8",
"external_references": [
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests contact lists from victims.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--cd503879-ccb4-4d47-af5a-90fe7e37c438",
"external_references": [
{
"source_name": "PaloAlto-SpyDealer",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) is delivered via a a watering hole website that mimics the third-party Android app store APKMonk. In at least one case, the watering hole URL was distributed through Facebook Messenger.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--f989562f-41a8-46d3-94ba-fca7269ae592",
"external_references": [
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"relationship_type": "uses",
"target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Enterprises performing application vetting could search for applications that declare the RECEIVE_SMS permission and scrutinize them closely.",
"type": "relationship",
"created": "2017-10-25T14:48:53.739Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--16f55053-285d-411d-881c-6f8c1bdef8d7",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--b18aa181-b1b7-43dd-9389-16a13ef2a6ed",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.746Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--aa39b402-7ecc-4057-a989-663887e540e7",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Judy](https://attack.mitre.org/software/S0325) uses infected devices to generate fraudulent clicks on advertisements to generate revenue.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--1c42ee3a-c400-4de6-84aa-b254422af7b9",
"external_references": [
{
"source_name": "CheckPoint-Judy",
"description": "CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018.",
"url": "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--172444ab-97fc-4d94-b142-179452bfb760",
"relationship_type": "uses",
"target_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[KeyRaider](https://attack.mitre.org/software/S0288) has built-in functionality to lock victims out of devices and hold them for ransom.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--9f737872-3503-4ef4-b575-ab6037b33a98",
"external_references": [
{
"source_name": "Xiao-KeyRaider",
"description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50",
"relationship_type": "uses",
"target_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.737Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--15a2702e-4e49-4255-909d-bbf94abfd1d7",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) attempts to modify the device's system partition.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--d7ae7fb1-c363-4969-a4af-e2dd44a3c064",
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can record location.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--da4296d7-5fdb-45b6-9791-b023d634c08d",
"external_references": [
{
"source_name": "TrendMicro-RCSAndroid",
"description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.742Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--a01af4da-0910-4a20-805f-86b3ae1dc046",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "App developers should be advised to use the Android Network Security Configuration feature and the iOS App Transport Security feature to gain some level of assurance that app network traffic is protected.",
"type": "relationship",
"created": "2017-10-25T14:48:53.743Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--74155759-4c76-42d3-b64f-a898f7b582f9",
"external_references": [
{
"source_name": "Google-TrustManager",
"description": "Google. (n.d.). How to fix apps containing an unsafe implementation of TrustManager. Retrieved December 24, 2016.",
"url": "https://support.google.com/faqs/answer/6346016?hl=en"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Check for potential malicious definitions of URL schemes when vetting applications. Also, when examining apps for potential vulnerabilities, encourage use of universal links as an alternative to URL schemes. When examining apps that use OAuth, encourage use of best practices.",
"type": "relationship",
"created": "2017-10-25T14:48:53.739Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--3a446bee-007b-4b1f-849e-60e9d39c2e92",
"external_references": [
{
"source_name": "Apple-UniversalLinks",
"description": "Apple. (n.d.). Support Universal Links. Retrieved December 21, 2016.",
"url": "https://developer.apple.com/library/content/documentation/General/Conceptual/AppSearch/UniversalLinks.html"
},
{
"source_name": "IETF-OAuthNativeApps",
"description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.",
"url": "https://tools.ietf.org/html/rfc8252"
}
],
"modified": "2019-02-03T17:03:45.451Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[PJApps](https://attack.mitre.org/software/S0291) has the capability to collect and leak the victim's location.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--27247071-356b-4b5f-bc8f-6436a3fec095",
"external_references": [
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[PJApps](https://attack.mitre.org/software/S0291) has the capability to collect and leak the victim's phone number, mobile device unique identifier (IMEI).",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--789cb76e-27b0-4762-a2f7-3ff32ce0762d",
"external_references": [
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137",
"relationship_type": "uses",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole contact list data stored both on the the phone and the SIM card.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--cfa1d194-7401-46ba-bfed-5f311aeb22d3",
"external_references": [
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"relationship_type": "uses",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) captures SMS messages that the victim sends or receives.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--7d481598-ece7-469c-b231-619a804c25e5",
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2019-07-03T20:25:14.030Z",
"type": "relationship",
"id": "relationship--1ed76ca9-0ed6-40f9-89c6-64662fdd447d",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created": "2017-10-25T14:48:53.740Z",
"source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "As stated in the technical description, Android 7 and above prevent applications from accessing this information.",
"type": "relationship",
"created": "2017-10-25T14:48:53.747Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--024f9ee4-cb7d-49f4-b180-ad1e5e168a4c",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2019-07-27T00:09:37.634Z",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--3e3cad6c-dd73-43c9-bf99-d4796ba97fb1",
"external_references": [
{
"source_name": "CrowdStrike-Android",
"description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.",
"url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"
}
],
"source_ref": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c",
"relationship_type": "uses",
"target_ref": "malware--56660521-6db4-4e5a-a927-464f22954b7c",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) has the ability to record audio and take pictures using the device camera.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--0cae6859-d7d1-483b-b473-4f32084938a9",
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) attempts to exploit well-known Android OS vulnerabilities to escalate privileges.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--3d24d88e-a0ab-42c6-8e8f-11f721082bba",
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[OldBoot](https://attack.mitre.org/software/S0285) uses escalated privileges to modify the init script on the device's boot partition to maintain persistence.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--373f33be-9b40-44f5-bfd3-db2a9f5fa72c",
"external_references": [
{
"source_name": "HackerNews-OldBoot",
"description": "Sudhir K Bansal. (2014, January 28). First widely distributed Android bootkit Malware infects more than 350,000 Devices. Retrieved December 21, 2016.",
"url": "http://thehackernews.com/2014/01/first-widely-distributed-android.html"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--2074b2ad-612e-4758-adce-7901c1b49bbc",
"relationship_type": "uses",
"target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) abuses Android Accessibility features to steal messages from popular apps such as WeChat, Skype, Viber, and QQ.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--5ced57a7-b674-40d4-98b8-a090963a6ade",
"external_references": [
{
"source_name": "PaloAlto-SpyDealer",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) uses Google Cloud Messaging (GCM) for command and control.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--319d46b5-de41-4f23-9001-2fa75f954720",
"external_references": [
{
"source_name": "Kaspersky-MobileMalware",
"description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.",
"url": "https://securelist.com/mobile-malware-evolution-2013/58335/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17",
"relationship_type": "uses",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "On Android, accessing the device contact list requires that the app hold the READ_CONTACTS permission. Apps that request this permission could be closely scrutinized to ensure that the request is appropriate. On iOS, the app vetting process can determine whether apps access the device contact list, with extra scrutiny applied to any that do so.",
"type": "relationship",
"created": "2017-10-25T14:48:53.736Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--e183af70-44d5-4d56-9aad-753eb4c1c964",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.733Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--d98a030f-c551-4fd0-9948-32e1ea01f79c",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.747Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--dfc1f490-f8b9-4287-8c79-652d42f0a64a",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2019-07-10T15:16:17.089Z",
"type": "relationship",
"id": "relationship--b1f2770e-11f0-429c-9bac-9fa5bc5859b0",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created": "2017-10-25T14:48:53.746Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Some original variants of [BrainTest](https://attack.mitre.org/software/S0293) had the capability to automatically root some devices, but that behavior was not observed in later samples.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e",
"external_references": [
{
"source_name": "Lookout-BrainTest",
"description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
"relationship_type": "uses",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Most [KeyRaider](https://attack.mitre.org/software/S0288) samples hook SSLRead and SSLWrite functions in the itunesstored process to intercept device communication with the Apple App Store.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--b596251a-73db-4e53-a04d-51be783b0241",
"external_references": [
{
"source_name": "Xiao-KeyRaider",
"description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50",
"relationship_type": "uses",
"target_ref": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[XLoader](https://attack.mitre.org/software/S0318) covertly records phone calls.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--22290cce-856a-46d5-9589-699f5dfc1429",
"external_references": [
{
"source_name": "TrendMicro-XLoader",
"description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) uses the commercial rooting app Baidu Easy Root to gain root privilege and maintain persistence on the victim.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--d8d773ab-b0e3-484b-bdb8-c1a1ab48d218",
"external_references": [
{
"source_name": "PaloAlto-SpyDealer",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[DroidJack](https://attack.mitre.org/software/S0320) captures call data.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--c65661a6-6047-4901-ac2c-3ca4b1bbbb28",
"external_references": [
{
"source_name": "Zscaler-SuperMarioRun",
"description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.",
"url": "https://www.zscaler.com/blogs/research/super-mario-run-malware-2-\u2013-droidjack-rat"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
"relationship_type": "uses",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RedDrop](https://attack.mitre.org/software/S0326) exfiltrates details of the victim device operating system and manufacturer.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--e9cbc901-38cb-4895-9dfb-7a4fe10ba6d7",
"external_references": [
{
"source_name": "Wandera-RedDrop",
"description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.",
"url": "https://www.wandera.com/reddrop-malware/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
"relationship_type": "uses",
"target_ref": "attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) maintains persistence by installing an Android application package (APK) on the system partition.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--70367e5c-15e0-4bcd-b538-7a90c4eefd30",
"external_references": [
{
"source_name": "PaloAlto-SpyDealer",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) was believed to have been used to obtain locational data of Ukrainian artillery forces.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--9e66ec3b-cdd6-461c-bd84-e75316818e15",
"external_references": [
{
"source_name": "CrowdStrike-Android",
"description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.",
"url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--56660521-6db4-4e5a-a927-464f22954b7c",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.739Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--9e83607e-2936-4f25-b6d2-c357846840f3",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.746Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--49f0f7b8-7208-4650-89c2-5d6b1f166113",
"source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.746Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--0977107c-9dd3-4cc5-b769-7e29da9f4bb6",
"source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Starting with Android 4.2 the user must provide consent before applications can send SMS messages to premium numbers.",
"type": "relationship",
"id": "relationship--d6930d98-f8a2-4556-baa4-95275d3fa23d",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created": "2017-10-25T14:48:53.735Z",
"external_references": [
{
"source_name": "AndroidSecurity2014",
"description": "Google. (2014). Android Security 2014 Year in Review. Retrieved December 12, 2016.",
"url": "https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2014_Report_Final.pdf"
}
],
"modified": "2019-07-03T20:26:34.202Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[BrainTest](https://attack.mitre.org/software/S0293) uses root privileges (if available) to copy an additional Android app package (APK) to /system/priv-app to maintain persistence even after a factory reset.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--0e9edc13-7af7-43c4-8ec2-636b1f8cb7f1",
"external_references": [
{
"source_name": "Lookout-BrainTest",
"description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
"relationship_type": "uses",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads calendar events and reminders.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--789699c2-44f1-4280-bf86-ab23e6a13e84",
"external_references": [
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"relationship_type": "uses",
"target_ref": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can collect SMS, MMS, and Gmail messages.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--2065382f-45ae-4b9a-a77c-027ecd6c1735",
"external_references": [
{
"source_name": "TrendMicro-RCSAndroid",
"description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Adups](https://attack.mitre.org/software/S0309) transmitted the full contents of text messages.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--18d3f4c7-2888-4d27-9ac7-b7ade1a1c04c",
"external_references": [
{
"source_name": "NYTimes-BackDoor",
"description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.",
"url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Adups](https://attack.mitre.org/software/S0309) transmitted call logs.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--e87aa0d6-241f-4f72-bdb6-54e8d5584ae2",
"external_references": [
{
"source_name": "NYTimes-BackDoor",
"description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.",
"url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
"relationship_type": "uses",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Changes were made in Android 7 to help prevent use of this technique.",
"type": "relationship",
"created": "2017-10-25T14:48:53.745Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--b2c289bf-e981-4bcd-87dd-b6c0680557e9",
"external_references": [
{
"source_name": "GoogleIO2016",
"description": "Adrian Ludwig. (2016, May 19). What's new in Android security (M and N Version). Retrieved December 9, 2016.",
"url": "https://www.youtube.com/watch?v=XZzLjllizYs"
}
],
"modified": "2019-02-03T16:56:41.449Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[DualToy](https://attack.mitre.org/software/S0315) side loads malicious or risky apps to both Android and iOS devices via a USB connection.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--b7282bf9-63f8-49ad-8ee0-f2ad523a367e",
"external_references": [
{
"source_name": "PaloAlto-DualToy",
"description": "Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878",
"relationship_type": "uses",
"target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) uses SMS for command and control.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--f6098dca-3a9e-4991-8d51-1310b12161b6",
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) exploits iOS vulnerabilities to escalate privileges.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--63e67cba-4eae-4495-8897-2610103a0c41",
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can read SMS messages.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--e0ebf0cd-9244-4cef-9171-128a12b87b58",
"external_references": [
{
"source_name": "Zscaler-SpyNote",
"description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.",
"url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RuMMS](https://attack.mitre.org/software/S0313) uses HTTP for command and control.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--4d7e937d-7ea1-49cb-939c-5244815e51d7",
"external_references": [
{
"source_name": "FireEye-RuMMS",
"description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
"relationship_type": "uses",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "iOS 9 and above requires explicit user consent before allowing installation of applications signed with enterprise distribution keys rather than installed from Apple's App Store. Users should be encouraged to not agree to installation of applications signed with enterprise distribution keys unless absolutely certain of the source of the application. On Android, the \"Unknown Sources\" setting must be enabled for users to install apps from sources other than an authorized app store (such as the Google Play Store), so users should be encouraged not to enable that setting.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--57474dcb-329d-4135-8f1a-87490bffdaef",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.739Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--b23ec81b-8610-4bb0-a837-2c316c67fa79",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Maggi and Zanero describe a static analysis approach that may be able to identify ransomware apps that encrypt user files on the device.",
"type": "relationship",
"id": "relationship--c5b80ca7-eceb-43ea-991e-10af5d9ca4bc",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created": "2017-10-25T14:48:53.735Z",
"external_references": [
{
"source_name": "Maggi-Ransomware",
"description": "Federico Maggi and Stefano Zanero. (2016). Pocket-Sized Badness - Why Ransomware Comes as a Plot Twist in the Cat-Mouse Game. Retrieved December 21, 2016.",
"url": "https://www.blackhat.com/docs/eu-16/materials/eu-16-Maggi-Pocket-Sized-Badness-Why-Ransomware-Comes-As-A-Plot-Twist-In-The-Cat-Mouse-Game.pdf"
}
],
"modified": "2019-07-03T20:20:15.575Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2019-07-03T20:25:14.045Z",
"type": "relationship",
"id": "relationship--6bb99599-aa51-4492-9c79-296a772233b4",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created": "2017-10-25T14:48:53.740Z",
"source_ref": "course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Original samples of [BrainTest](https://attack.mitre.org/software/S0293) download their exploit packs for rooting from a remote server after installation.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--706c698c-aa8d-4fac-a6c1-2e047c3f965c",
"external_references": [
{
"source_name": "Lookout-BrainTest",
"description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
"relationship_type": "uses",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Charger](https://attack.mitre.org/software/S0323) steals contacts from the victim user's device.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--e2ee6825-43c2-441f-ba96-404a330a9059",
"external_references": [
{
"source_name": "CheckPoint-Charger",
"description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.",
"url": "http://blog.checkpoint.com/2017/01/24/charger-malware/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950",
"relationship_type": "uses",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "App store operators and enterprises could assess reputational characteristics of the app, including the popularity of the app or other apps from the same developer and whether or not security issues have been found in other apps from the same developer.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--bedb2088-2f26-4380-84df-f238f514dd4c",
"modified": "2019-02-03T17:31:51.765Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[PJApps](https://attack.mitre.org/software/S0291) has the capability to send messages to premium SMS messages.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--4454a696-7619-40ee-971b-cbf646e4ee61",
"external_references": [
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137",
"relationship_type": "uses",
"target_ref": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RCSAndroid](https://attack.mitre.org/software/S0295) has the ability to dynamically download and execute new code at runtime.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--8d027310-93a0-4046-b7ad-d1f461f30838",
"external_references": [
{
"source_name": "TrendMicro-RCSAndroid",
"description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"relationship_type": "uses",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RuMMS](https://attack.mitre.org/software/S0313) gathers device model and operating system version information and transmits it to a command and control server.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--bb3be217-08e2-4bb0-9f1a-d8e538010451",
"external_references": [
{
"source_name": "FireEye-RuMMS",
"description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
"relationship_type": "uses",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[WireLurker](https://attack.mitre.org/software/S0312) obfuscates its payload through complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--b3bb33bf-9034-4d5c-8ea0-31d3bbd12b6b",
"external_references": [
{
"source_name": "PaloAlto-WireLurker",
"description": "Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb",
"relationship_type": "uses",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Use of end-to-end encryption of voice calls and text messages \"provides another layer in the defense against potential information compromise by SS7 enabled eavesdropping.\"",
"type": "relationship",
"created": "2017-10-25T14:48:53.733Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--dc6eb5d7-acef-4eb4-bece-4e8c90c914dc",
"external_references": [
{
"source_name": "CSRIC5-WG10-FinalReport",
"description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.",
"url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
}
],
"modified": "2019-02-03T16:28:53.074Z",
"source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.735Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--6f8b3839-ea91-44d5-ba68-b9d1e6076c19",
"source_ref": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.733Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--3f3d63f0-1f03-4931-9624-10eaf4b207b4",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "It is rare for applications to utilize Device Administrator access. App vetting can detect apps that do so, and those apps should be closely scrutinized. Maggi and Zanero4 describe a static analysis approach that can be used to identify ransomware apps including apps that abuse Device Administrator access.",
"type": "relationship",
"id": "relationship--bebf345c-21d5-410f-9015-90c144161e5d",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created": "2017-10-25T14:48:53.739Z",
"external_references": [
{
"source_name": "Maggi-Ransomware",
"description": "Federico Maggi and Stefano Zanero. (2016). Pocket-Sized Badness - Why Ransomware Comes as a Plot Twist in the Cat-Mouse Game. Retrieved December 21, 2016.",
"url": "https://www.blackhat.com/docs/eu-16/materials/eu-16-Maggi-Pocket-Sized-Badness-Why-Ransomware-Comes-As-A-Plot-Twist-In-The-Cat-Mouse-Game.pdf"
}
],
"modified": "2019-07-03T20:25:14.051Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2019-07-03T20:26:34.204Z",
"type": "relationship",
"id": "relationship--4caf3ad1-6ef8-42de-851d-bdc3a22977b3",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created": "2017-10-25T14:48:53.735Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Marcher](https://attack.mitre.org/software/S0317) is delivered via a link sent by SMS or email, including instructions advising the user to modify their Android device security settings to enable apps to be installed from \"Unknown Sources.\"",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--2555c438-cd9f-49ed-93f6-a935a9861c54",
"external_references": [
{
"source_name": "Proofpoint-Marcher",
"description": "Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018.",
"url": "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--f9854ba6-989d-43bf-828b-7240b8a65291",
"relationship_type": "uses",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Marcher](https://attack.mitre.org/software/S0317) attempts to overlay itself on top of legitimate banking apps in an effort to capture user credentials. [Marcher](https://attack.mitre.org/software/S0317) also attempts to overlay itself on top of legitimate apps such as the Google Play Store in an effort to capture user credit card information.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--e75c623a-f9ac-4f46-b093-dd0e40b50cc6",
"external_references": [
{
"source_name": "Proofpoint-Marcher",
"description": "Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018.",
"url": "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--f9854ba6-989d-43bf-828b-7240b8a65291",
"relationship_type": "uses",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) used SMS to receive command and control messages.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--c83c84e8-a556-4efe-ae24-75970ee8ad4b",
"external_references": [
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"relationship_type": "uses",
"target_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) was distributed through a web site by exploiting vulnerabilities in the Safari web browser on iOS devices.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--638f3d4b-f1d4-4c61-91a0-7c125ef8437a",
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Skygofree](https://attack.mitre.org/software/S0327) has a capability to obtain files from other installed applications.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--c374c9ce-ff30-4daa-bdec-8015a507746a",
"external_references": [
{
"source_name": "Kaspersky-Skygofree",
"description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.",
"url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
"relationship_type": "uses",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can copy files from the device to the C2 server.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--bc4e848a-adb7-40a2-94a1-d5ab9854ff0f",
"external_references": [
{
"source_name": "Zscaler-SpyNote",
"description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.",
"url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"relationship_type": "uses",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses call logs.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--4f366c8c-9c70-44ed-baa8-d433d5dbfe49",
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses the list of installed applications.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--f5fab17b-43e7-46ff-bdea-eb8c52a0c6c3",
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[BrainTest](https://attack.mitre.org/software/S0293) provided capabilities that allowed developers to use compromised devices to post positive reviews on their own malicious applications as well as download other malicious applications they had submitted to the Play Store.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--6086e1e2-1b39-4ff2-910e-4a4eb86d57b7",
"external_references": [
{
"source_name": "Lookout-BrainTest",
"description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.",
"url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
"relationship_type": "uses",
"target_ref": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can record using the microphone as well as capture photos using the front and back cameras.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--14143e21-51bf-4fa7-a949-d22a8271f590",
"external_references": [
{
"source_name": "TrendMicro-RCSAndroid",
"description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) exfiltrates data from over 40 apps such as WeChat, Facebook, WhatsApp, Skype, and others.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--bd351b17-e995-4528-bbea-e1138c51476a",
"external_references": [
{
"source_name": "PaloAlto-SpyDealer",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[ZergHelper](https://attack.mitre.org/software/S0287) abuses enterprises certificate and personal certificates to sign and distribute apps.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--2a287c91-2792-407f-a9ee-8153a802b7c6",
"external_references": [
{
"source_name": "Xiao-ZergHelper",
"description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0",
"relationship_type": "uses",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.738Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--f6fa0801-418e-43e5-bfae-332e909624fc",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.747Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--095f71ad-9a93-45ce-9b77-a101f6c894de",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[AndroRAT](https://attack.mitre.org/software/S0292) collects call logs.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--290a627d-172d-494d-a0cc-685f480a1034",
"external_references": [
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
"relationship_type": "uses",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[DroidJack](https://attack.mitre.org/software/S0320) captures SMS data.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--910009da-65c0-4e6a-aeb2-386c643d1c0e",
"external_references": [
{
"source_name": "Zscaler-SuperMarioRun",
"description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.",
"url": "https://www.zscaler.com/blogs/research/super-mario-run-malware-2-\u2013-droidjack-rat"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[XcodeGhost](https://attack.mitre.org/software/S0297) can prompt a fake alert dialog to phish user credentials.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--13efc415-5e17-4a16-81c2-64e74815907f",
"external_references": [
{
"source_name": "PaloAlto-XcodeGhost",
"description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9",
"relationship_type": "uses",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) can record phone calls and surrounding audio and video, as well as take photos via front and rear cameras.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--f6770c26-ae93-468d-acaa-ab4ffea0e047",
"external_references": [
{
"source_name": "PaloAlto-SpyDealer",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) attempts to detect whether it is running in an emulator rather than a real device.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--93103ac2-0e3b-4f0f-a054-7f9b947b3172",
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.738Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--92333055-88ce-4db2-a589-e0e1e617d8e0",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Xbot](https://attack.mitre.org/software/S0298) can encrypt the victim's files in external storage (e.g., SD card) and then request a PayPal cash card as ransom.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--70f8cbed-b20d-4ff2-ad02-8d78e7d49159",
"external_references": [
{
"source_name": "PaloAlto-Xbot",
"description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4",
"relationship_type": "uses",
"target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather cellular IDs.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--433ba5b0-76eb-49e1-a2ed-e54994e94041",
"external_references": [
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a",
"relationship_type": "uses",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Enterprises could perform app vetting before allowing apps to be installed on devices and search for abuse of accessibility features as part of the analysis, or otherwise use mobile app reputation services to search for known malicious apps.",
"type": "relationship",
"id": "relationship--077da2d7-0913-4040-b25e-2f6913ed4ea0",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created": "2017-10-25T14:48:53.734Z",
"modified": "2019-07-23T15:35:23.547Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.744Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--72d7fa07-e559-4e35-b791-64b7bf8a0aef",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.737Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--8aa790cc-0d42-4114-8cbe-783abc595b8b",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.746Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--ce6c7f21-91a5-4d63-bd03-a6b57e025afe",
"source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2019-07-10T15:16:17.097Z",
"type": "relationship",
"id": "relationship--465ff71b-2b1b-43b6-ab78-afb273d956d2",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created": "2017-10-25T14:48:53.746Z",
"source_ref": "course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[AndroRAT](https://attack.mitre.org/software/S0292) tracks the device location.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--fa1da6db-da32-45d2-98a8-6bbe153166da",
"external_references": [
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) can record from the camera or microphone as well as take photos from the front and back cameras.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--3498d304-48e3-4fe4-a3ab-fc261104f413",
"external_references": [
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RedDrop](https://attack.mitre.org/software/S0326) downloads additional components (APKs, JAR files) from different C&C servers and stores them dynamically into the device\u2019s memory, allowing the adversary to execute additional malicious APKs without having to embed them straight into the initial sample.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--2c48d774-99b0-4d69-b485-1a8ef1f23808",
"external_references": [
{
"source_name": "Wandera-RedDrop",
"description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.",
"url": "https://www.wandera.com/reddrop-malware/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
"relationship_type": "uses",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Most [KeyRaider](https://attack.mitre.org/software/S0288) samples search to find the Apple account's username, password and device's GUID in data being transferred.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--05563777-5771-4bd6-a1af-3e244cf42372",
"external_references": [
{
"source_name": "Xiao-KeyRaider",
"description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.",
"url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50",
"relationship_type": "uses",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Skygofree](https://attack.mitre.org/software/S0327) can be controlled via HTTP, XMPP, FirebaseCloudMessaging, or GoogleCloudMessaging in older versions.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--f62e0aaf-e52f-40b9-a059-001f298a0660",
"external_references": [
{
"source_name": "Kaspersky-Skygofree",
"description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.",
"url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
"relationship_type": "uses",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uses commands received from text messages for C2.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--5a7295a2-ad95-4362-8b2c-9265ad5c73b0",
"external_references": [
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"relationship_type": "uses",
"target_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Charger](https://attack.mitre.org/software/S0323) locks the device if it is granted admin permissions, displaying a message demanding a \"ransom\" payment.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--69bb264a-3f44-4132-9248-dd80a9f5efa2",
"external_references": [
{
"source_name": "CheckPoint-Charger",
"description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.",
"url": "http://blog.checkpoint.com/2017/01/24/charger-malware/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950",
"relationship_type": "uses",
"target_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[MazarBOT](https://attack.mitre.org/software/S0303) can send messages to premium-rate numbers.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--5a6df1dd-9aa4-4f67-9195-8c3a9f5c0f7a",
"external_references": [
{
"source_name": "Tripwire-MazarBOT",
"description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.",
"url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9",
"relationship_type": "uses",
"target_ref": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) accesses sensitive data in files, such as saving Skype calls by reading them out of the Skype database files.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--a290a8ca-e650-456c-b33e-03343fe5ea4e",
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads information about installed packages.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--f552ee2f-5e6a-47a1-b6a5-d5e5594feb0d",
"external_references": [
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"relationship_type": "uses",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can monitor clipboard content.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--9e3921a8-a9e1-48c4-9b61-ff190c104f63",
"external_references": [
{
"source_name": "TrendMicro-RCSAndroid",
"description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"relationship_type": "uses",
"target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can view contacts.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--5012c647-9b58-4a4f-b64f-468c9b76a60c",
"external_references": [
{
"source_name": "Zscaler-SpyNote",
"description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.",
"url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"relationship_type": "uses",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Ensure that applications do not store sensitive data or credentials insecurely (e.g., with insecure file permissions or in an insecure location such as external data storage).",
"type": "relationship",
"created": "2017-10-25T14:48:53.738Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--7ec08d5c-73a1-4444-bd27-892090d6b2e3",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2019-02-03T16:28:53.048Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.733Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--26a9db86-5ecf-400a-bdd9-419448c2f776",
"source_ref": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "It is rare for apps to register themselves as a device keyboard. Apps that do so should be closely scrutinized during the vetting process.",
"type": "relationship",
"created": "2017-10-25T14:48:53.744Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--903660e1-3996-4ed2-9e7a-4f8c397a71eb",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole call logs.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--2bedbf86-2ef0-45bf-950d-b9d072c03bdc",
"external_references": [
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"relationship_type": "uses",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole geo-location data.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--9c7c302a-d5ba-4fc9-a4e5-e865fd7fb708",
"external_references": [
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "When vetting applications for potential security weaknesses, the vetting process could look for insecure use of intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or the App Links feature added in Android 6.0). For mobile applications using OAuth, encourage use of best practice.",
"type": "relationship",
"created": "2017-10-25T14:48:53.746Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--5b9a54cd-4925-4a2b-ad61-27d70e673093",
"external_references": [
{
"source_name": "Android-AppLinks",
"description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.",
"url": "https://developer.android.com/training/app-links/index.html"
},
{
"source_name": "IETF-OAuthNativeApps",
"description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.",
"url": "https://tools.ietf.org/html/rfc8252"
}
],
"modified": "2019-02-03T17:05:31.587Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Marcher](https://attack.mitre.org/software/S0317) requests Android Device Administrator access.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--9d621873-6d3c-4660-be9a-57e2e8648236",
"external_references": [
{
"source_name": "Proofpoint-Marcher",
"description": "Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018.",
"url": "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--f9854ba6-989d-43bf-828b-7240b8a65291",
"relationship_type": "uses",
"target_ref": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) modifies the system partition to maintain persistence.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--69718f1d-7761-41ae-b9d0-12c45f6b4ac4",
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Skygofree](https://attack.mitre.org/software/S0327) can record audio via the microphone when an infected device is in a specified location as well as record a video or capture a photo.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--06348e22-9a06-4e4c-a57c-e438462e7fce",
"external_references": [
{
"source_name": "Kaspersky-Skygofree",
"description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.",
"url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[XLoader](https://attack.mitre.org/software/S0318) requests Android Device Administrator access.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--eb27258f-6bb9-49b5-928e-b66f37f8f16e",
"external_references": [
{
"source_name": "TrendMicro-XLoader",
"description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
"relationship_type": "uses",
"target_ref": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Skygofree](https://attack.mitre.org/software/S0327) can download executable code from the C2 server after the implant starts or after a specific command.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--a3f36e9e-e2f4-4745-a9a3-0d1231db116d",
"external_references": [
{
"source_name": "Kaspersky-Skygofree",
"description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.",
"url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
"relationship_type": "uses",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Application vetting techniques could (either statically or dynamically) look for indications that the application downloads and executes new code at runtime (e.g., on Android use of DexClassLoader, System.load, or the WebView JavaScriptInterface capability, or on iOS use of JSPatch or similar capabilities). Unfortunately, this is only a partial mitigation, as additional scrutiny would still need to be applied to applications that use these techniques, as the techniques are often used without malicious intent, and because applications may employ other techniques such as to hide their use of these techniques.",
"type": "relationship",
"created": "2017-10-25T14:48:53.737Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--94a737af-9a72-48f6-a85e-d9d7fa93bfdd",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.745Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--08e7c0ad-f2d7-472c-97de-3627ca5d2991",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2019-02-03T17:08:07.545Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.743Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--37c4a0cf-0552-46fd-b067-419b15833044",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Encourage users to protect their account credentials and to enable available multi-factor authentication options.",
"type": "relationship",
"created": "2017-10-25T14:48:53.734Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--69efe716-affe-419e-ac06-924d2e416695",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Gooligan](https://attack.mitre.org/software/S0290) can install adware to generate revenue.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--42ae42eb-ea75-457a-bf39-4ea04304dd0b",
"external_references": [
{
"source_name": "Gooligan Citation",
"description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.",
"url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de",
"relationship_type": "uses",
"target_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[HummingBad](https://attack.mitre.org/software/S0322) can exploit unfixed vulnerabilities in older Android versions to root victim phones.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--d87b468e-f610-4e95-8dfb-8cf029f0e891",
"external_references": [
{
"source_name": "ArsTechnica-HummingBad",
"description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.",
"url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--c8770c81-c29f-40d2-a140-38544206b2b4",
"relationship_type": "uses",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.742Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--51186ad6-e721-49cf-9cf7-89466d5f29f4",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.742Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--3230c032-17e0-49f7-b948-c157049aafe2",
"source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2019-07-03T20:21:22.321Z",
"type": "relationship",
"id": "relationship--31942635-81b1-4657-8882-50fb97fae64b",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created": "2017-10-25T14:48:53.740Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.744Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--ebdb9385-6311-4532-b021-2da48734aab7",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[MazarBOT](https://attack.mitre.org/software/S0303) is delivered via an unsolicited text message containing a link to a web download URI.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--4fc45b06-287d-4151-9f5a-37bb34dcdeec",
"external_references": [
{
"source_name": "Tripwire-MazarBOT",
"description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.",
"url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9",
"relationship_type": "uses",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[OBAD](https://attack.mitre.org/software/S0286) contains encrypted code along with an obfuscated decryption routine to make it difficult to analyze.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--b67f04d9-1cbd-49b4-9ec3-a33a41ac42ab",
"external_references": [
{
"source_name": "TrendMicro-Obad",
"description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde",
"relationship_type": "uses",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2019-02-03T17:08:07.489Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.743Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--6eca2456-fdcf-42e9-bcbb-a4c51ce54139",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Enterprises can provision policies to mobile devices to require a minimum complexity (length, etc.) for the device passcode. Enterprises can provision policies to mobile devices to cause the device to wipe all data if an incorrect passcode is entered too many times. Both policies would mitigate brute-force, guessing, or shoulder surfing of the device passcode. If desired, enterprises can provision policies to mobile devices to disallow biometric authentication. However, biometric authentication can help make \"using a longer, more complex passcode far more practical because you don't need to enter it as frequently.\"",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--73d78f2c-dd3b-469c-a622-e2e89cb521d3",
"external_references": [
{
"source_name": "Apple-iOSSecurityGuide",
"description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016.",
"url": "https://www.apple.com/business/docs/iOS_Security_Guide.pdf"
}
],
"modified": "2019-02-03T17:08:07.516Z",
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "During application vetting, applications could be examined to see if they have this behavior, and extra scrutiny could potentially be given to applications that do.",
"type": "relationship",
"created": "2017-10-25T14:48:53.747Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--de1b1f92-c060-4d8c-81bf-465b7fb21be4",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Application vetting techniques may be able to alert to the presence of obfuscated or encrypted code in applications, and such applications could have extra scrutiny applied. Unfortunately, this mitigation is likely impractical, as many legitimate applications apply code obfuscation or encryption to resist adversary techniques such as Repackaged Application. Dynamic analysis when used in application vetting may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.",
"type": "relationship",
"created": "2017-10-25T14:48:53.746Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--b4e055cf-f77e-4888-9610-6cd328e035c8",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather call logs.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--50c81a85-8c70-48df-a338-8622d2debc74",
"external_references": [
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a",
"relationship_type": "uses",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RedDrop](https://attack.mitre.org/software/S0326) exfiltrates data using standard HTTP.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--3644d1dd-8d9f-4a89-a618-c6b22c2a1a96",
"external_references": [
{
"source_name": "Wandera-RedDrop",
"description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.",
"url": "https://www.wandera.com/reddrop-malware/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
"relationship_type": "uses",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses sensitive data in files, such as messages stored by the WhatsApp, Facebook, and Twitter applications. It also has the ability to access arbitrary filenames and retrieve directory listings.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--3f973c3c-45f8-432a-9859-e8749f2e7418",
"external_references": [
{
"source_name": "Lookout-PegasusAndroid",
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests location data from victims..",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--be136fd1-6949-4de6-be37-6d76f8def41a",
"external_references": [
{
"source_name": "PaloAlto-SpyDealer",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[XLoader](https://attack.mitre.org/software/S0318) collects SMS messages.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--834c9a7e-6520-486d-ba60-c3a8b2f9eb1a",
"external_references": [
{
"source_name": "TrendMicro-XLoader",
"description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2019-02-03T16:56:41.438Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.745Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--3c2d7ccc-5980-4012-8aab-64979bcd0ea6",
"source_ref": "course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "On iOS, the allowEnterpriseAppTrust and allowEnterpriseAppTrustModification configuration profile restrictions can be used to prevent users from installing apps signed using enterprise distribution keys.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--ef977f9e-c505-449f-883a-915c1de1015f",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole SMS message content.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--68e5789c-9f60-421e-9c79-fae207a29e83",
"external_references": [
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[HummingBad](https://attack.mitre.org/software/S0322) can create fraudulent statistics inside the official Google Play Store.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--f947d845-4d70-41f3-ae3c-18ea8b44e667",
"external_references": [
{
"source_name": "ArsTechnica-HummingBad",
"description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.",
"url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--c8770c81-c29f-40d2-a140-38544206b2b4",
"relationship_type": "uses",
"target_ref": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) monitors the connection state and tracks which types of networks the phone is connected to, potentially to determine the bandwidth and ability to send full data across the network.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--450a1b75-efa5-4d7a-bcd5-d3e63723b408",
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) has the ability to record audio.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--b7652f27-1cf6-4310-bf6b-5fb99c4fd725",
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[HummingWhale](https://attack.mitre.org/software/S0321) generates revenue by displaying fraudulent ads and automatically installing apps. When victims try to close the ads, [HummingWhale](https://attack.mitre.org/software/S0321) runs in a virtual machine, creating a fake ID that allows the perpetrators to generate revenue.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--b263e4e9-972d-4ba7-8be8-e55eb6a483c0",
"external_references": [
{
"source_name": "ArsTechnica-HummingWhale",
"description": "Dan Goodin. (2017, January 23). Virulent Android malware returns, gets >2 million downloads on Google Play. Retrieved January 24, 2017.",
"url": "http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f",
"relationship_type": "uses",
"target_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Android 7.0 and higher includes additional protections against this technique.",
"type": "relationship",
"id": "relationship--55f12292-dc9d-4bfd-9de9-2d07cd67b044",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created": "2017-10-25T14:48:53.734Z",
"modified": "2019-07-23T15:35:23.560Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads information about changes in SIM card or phone numbers on the device.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--a7336f2c-8f89-4d54-ac2b-77743afb2943",
"external_references": [
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"relationship_type": "uses",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) uses Google Cloud Messaging (GCM) for command and control.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--2cdd5474-620c-499e-8b9c-835505febc2c",
"external_references": [
{
"source_name": "Kaspersky-MobileMalware",
"description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.",
"url": "https://securelist.com/mobile-malware-evolution-2013/58335/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--d89c132d-7752-4c7f-9372-954a71522985",
"relationship_type": "uses",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Decrease likelihood of successful privilege escalation attack.",
"type": "relationship",
"created": "2017-10-25T14:48:53.736Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--93a524e2-cb17-4b40-8640-a03949e89775",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Application vetting techniques could be used to attempt to identify applications with this behavior.",
"type": "relationship",
"created": "2017-10-25T14:48:53.747Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--6c0491ee-53e0-44ae-bcd0-253fc47de61e",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Encourage users to protect their account credentials and to enable available multi-factor authentication options.",
"type": "relationship",
"created": "2017-10-25T14:48:53.741Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--0818895a-0d6d-47cc-ad34-a09bdb76a81b",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Closely scrutinize applications that request VPN access before allowing their use.",
"type": "relationship",
"created": "2017-10-25T14:48:53.738Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--6407562a-d297-43cd-95df-aec9cf501ce2",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) gathered device data including phone number, OS version, phone model, and SDK version.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--83991b5c-59b9-4fe5-9ef2-39c6ddc8b835",
"external_references": [
{
"source_name": "Kaspersky-WUC",
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"relationship_type": "uses",
"target_ref": "attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.741Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--ba556d98-4ff2-43a4-bb93-52f99265ff99",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Newer OS versions generally will include security patches against discovered vulnerabilities that become known to the vendor. Additionally, iOS 11.4.1 and higher introduce USB Restricted Mode, which under certain conditions disables data access through the device's charging port (making the port only usable for power), likely preventing this technique from working.",
"type": "relationship",
"created": "2017-10-25T14:48:53.742Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--abd2e863-4bd3-4686-b2aa-f8a097a41c99",
"external_references": [
{
"source_name": "Elcomsoft-iOSRestricted",
"description": "Oleg Afonin. (2018, September 20). iOS 12 Enhances USB Restricted Mode. Retrieved September 21, 2018.",
"url": "https://blog.elcomsoft.com/2018/09/ios-12-enhances-usb-restricted-mode/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[AndroRAT](https://attack.mitre.org/software/S0292) collects contact list information.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--aaf55dd1-33df-4f02-8025-eaae01f30b33",
"external_references": [
{
"source_name": "Lookout-EnterpriseApps",
"description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
"url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
"relationship_type": "uses",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Android Overlay Malware](https://attack.mitre.org/software/S0296) was distributed by sending SMS messages with an embedded link to the malware.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--8d435703-05c0-4320-945c-05ebe1b06399",
"external_references": [
{
"source_name": "FireEye-AndroidOverlay",
"description": "Wu Zhou et al. (2016, June 28). THE LATEST ANDROID OVERLAY MALWARE SPREADING VIA SMS PHISHING IN EUROPE. Retrieved December 21, 2016.",
"url": "https://www.fireeye.com/blog/threat-research/2016/06/latest-android-overlay-malware-spreading-in-europe.html"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--b6d3657a-2d6a-400f-8b7e-4d60391aa1f7",
"relationship_type": "uses",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Adups](https://attack.mitre.org/software/S0309) was pre-installed on Android devices from some vendors.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--7fcfc36b-bebc-481f-b9af-b65008b045ec",
"external_references": [
{
"source_name": "NYTimes-BackDoor",
"description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.",
"url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"
},
{
"source_name": "BankInfoSecurity-BackDoor",
"description": "Jeremy Kirk. (2016, November 16). Why Did Chinese Spyware Linger in U.S. Phones?. Retrieved February 6, 2017.",
"url": "http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
"relationship_type": "uses",
"target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[DressCode](https://attack.mitre.org/software/S0300) sets up a \"general purpose tunnel\" that can be used by an adversary to compromise enterprise networks that the mobile device is connected to.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--81db3270-4cb8-4982-8ff8-c28a874e8421",
"external_references": [
{
"source_name": "TrendMicro-DressCode",
"description": "Echo Duan. (2016, September 29). DressCode and its Potential Impact for Enterprises. Retrieved December 22, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca",
"relationship_type": "uses",
"target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[OBAD](https://attack.mitre.org/software/S0286) abuses device administrator access to make it more difficult for users to remove the application.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--51757971-17ac-40c3-bae7-78365579db49",
"external_references": [
{
"source_name": "TrendMicro-Obad",
"description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde",
"relationship_type": "uses",
"target_ref": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RedDrop](https://attack.mitre.org/software/S0326) uses ads or other links within web sites to encourage users to download the malicious apps. A complex content distribution network (CDN) and series of network redirects is used in an apparent attempt to evade malware detection techniques.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--a3ba222d-8dcd-4222-b1d0-169eff16922f",
"external_references": [
{
"source_name": "Wandera-RedDrop",
"description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.",
"url": "https://www.wandera.com/reddrop-malware/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
"relationship_type": "uses",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Tangelo](https://attack.mitre.org/software/S0329) accesses databases from WhatsApp, Viber, Skype, and Line. It also accesses browser history, pictures, and videos.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--92129d5b-7822-4e84-8a69-f96b598fba9e",
"external_references": [
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a",
"relationship_type": "uses",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[RedDrop](https://attack.mitre.org/software/S0326) exfiltrates locally saved files (including photos) as well as live recordings of the device's surroundings.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--ffddcabb-0f03-46ae-abd6-7ab94e91b055",
"external_references": [
{
"source_name": "Wandera-RedDrop",
"description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.",
"url": "https://www.wandera.com/reddrop-malware/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) in at least one case may have been installed using physical access to the device by a repair shop.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--93c20f43-6684-471c-910f-d9577f289677",
"external_references": [
{
"source_name": "Lookout-StealthMango",
"description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
"relationship_type": "uses",
"target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.737Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--09fa9342-34cb-4f0d-8cdf-df4d51d0ae12",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--a0464539-e1b7-4455-a355-12495987c300",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.742Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--00b20e5c-5f52-4a07-bfec-e30872e793e3",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.746Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--4cf9511e-da0e-4055-bc8c-56121ae120d2",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[DroidJack](https://attack.mitre.org/software/S0320) performs call recording and video capturing.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--69de3f7e-faa7-4342-b755-4777a68fd89b",
"external_references": [
{
"source_name": "Zscaler-SuperMarioRun",
"description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.",
"url": "https://www.zscaler.com/blogs/research/super-mario-run-malware-2-\u2013-droidjack-rat"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[DualToy](https://attack.mitre.org/software/S0315) collects the connected iOS device\u2019s information including IMEI, IMSI, ICCID, serial number and phone number.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--71490fdb-e271-4a67-b932-5288924b1dae",
"external_references": [
{
"source_name": "PaloAlto-DualToy",
"description": "Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878",
"relationship_type": "uses",
"target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Advise users to only connect mobile devices to PCs when a justified need exists (e.g., mobile app development and debugging).",
"type": "relationship",
"created": "2017-10-25T14:48:53.737Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--86696d32-0af7-4308-b1fe-52306b9f839a",
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--a0464539-e1b7-4455-a355-12495987c300",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[NotCompatible](https://attack.mitre.org/software/S0299) has the capability to exploit systems on an enterprise network.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--ffc24804-42db-4be1-a418-7f5ab9de453c",
"external_references": [
{
"source_name": "Lookout-NotCompatible",
"description": "Tim Strazzere. (2014, November 19). The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks. Retrieved December 22, 2016.",
"url": "https://blog.lookout.com/blog/2014/11/19/notcompatible/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe",
"relationship_type": "uses",
"target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) monitors the victim for status and disables other access to the phone by other jailbreaking software.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--7af7d094-3a49-4e5e-99d0-385c79f95f06",
"external_references": [
{
"source_name": "Lookout-Pegasus",
"description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests phone call history from victims..",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--7017085c-c612-48b2-b655-e18d7822d0e7",
"external_references": [
{
"source_name": "PaloAlto-SpyDealer",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[YiSpecter](https://attack.mitre.org/software/S0311)'s malicious apps were signed with iOS enterprise certificates issued by Apple to allow the apps to be installed as enterprise apps on non-jailbroken iOS devices.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--9ea81224-70ef-46c2-89d4-2261c11789b4",
"external_references": [
{
"source_name": "PaloAlto-YiSpecter",
"description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved January 20, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9",
"relationship_type": "uses",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) enables remote control of the victim through SMS channels.",
"type": "relationship",
"created": "2018-10-17T00:14:20.652Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--935fd3e3-dd47-4c43-bdd8-1668af26395f",
"external_references": [
{
"source_name": "PaloAlto-SpyDealer",
"description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
}
],
"modified": "2018-10-17T00:14:20.652Z",
"source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"relationship_type": "uses",
"target_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"modified": "2018-10-17T00:14:20.652Z",
"type": "relationship",
"created": "2017-10-25T14:48:53.744Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--96027d55-0bdb-4f5f-a559-66c93eab3a17",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) gathers the device build version, manufacturer, and model.",
"type": "relationship",
"created": "2019-02-01T17:42:22.412Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--566555df-fe3c-4d8b-94b7-6bf3bbd69973",
"external_references": [
{
"source_name": "TrendMicro-Anserver2",
"description": "Karl Dominguez. (2011, September 27). ANDROIDOS_ANSERVER.A. Retrieved November 30, 2018.",
"url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROIDOS_ANSERVER.A"
}
],
"modified": "2019-03-11T15:13:40.480Z",
"source_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8",
"relationship_type": "uses",
"target_ref": "attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "\n[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) gathers the device IMEI and IMSI.",
"type": "relationship",
"created": "2019-03-11T15:13:40.408Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--919a13bc-74be-4660-af63-454abee92635",
"external_references": [
{
"source_name": "TrendMicro-Anserver2",
"description": "Karl Dominguez. (2011, September 27). ANDROIDOS_ANSERVER.A. Retrieved November 30, 2018.",
"url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROIDOS_ANSERVER.A"
}
],
"modified": "2019-03-11T15:13:40.408Z",
"source_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8",
"relationship_type": "uses",
"target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) gathers the device OS version.",
"type": "relationship",
"created": "2019-03-11T15:13:40.425Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--a82d3cfb-7ef2-4e39-a6e1-3097d7b106f7",
"external_references": [
{
"source_name": "TrendMicro-Anserver2",
"description": "Karl Dominguez. (2011, September 27). ANDROIDOS_ANSERVER.A. Retrieved November 30, 2018.",
"url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROIDOS_ANSERVER.A"
}
],
"modified": "2019-03-11T15:13:40.425Z",
"source_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8",
"relationship_type": "uses",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) uses encrypted content within a blog site for part of its command and control. Specifically, the encrypted content contains URLs for other servers to be used for other aspects of command and control.",
"type": "relationship",
"created": "2019-03-11T15:13:40.454Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--352fabc8-48fe-4190-92b3-49b00348bb22",
"external_references": [
{
"source_name": "TrendMicro-Anserver",
"description": "Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/"
}
],
"modified": "2019-03-11T15:13:40.454Z",
"source_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8",
"relationship_type": "uses",
"target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[FinFisher](https://attack.mitre.org/software/S0182) captures and exfiltrates SMS messages.",
"type": "relationship",
"created": "2019-07-10T15:25:57.572Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--dc6514a0-2e9c-4f29-8c15-99e6d382e357",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"modified": "2019-07-14T21:44:44.459Z",
"source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[FinFisher](https://attack.mitre.org/software/S0182) accesses and exfiltrates the call log.",
"type": "relationship",
"created": "2019-07-10T15:25:57.585Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--6f63395f-a826-45e2-8d3b-dccd6375f54d",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"modified": "2019-07-14T21:44:44.660Z",
"source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858",
"relationship_type": "uses",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[FinFisher](https://attack.mitre.org/software/S0182) uses the device microphone to record phone conversations.",
"type": "relationship",
"created": "2019-07-10T15:25:57.602Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--7a50961b-9be4-4042-a6a0-878b612c520e",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"modified": "2019-07-14T21:44:44.456Z",
"source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[FinFisher](https://attack.mitre.org/software/S0182) tracks the latitude and longitude coordinates of the infected device.",
"type": "relationship",
"created": "2019-07-10T15:25:57.604Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--b53d1c92-b71f-434e-aa4f-08b8db765248",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"modified": "2019-07-14T21:44:44.664Z",
"source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[FinFisher](https://attack.mitre.org/software/S0182) exfiltrates data over commonly used ports, such as ports 21, 53, and 443.",
"type": "relationship",
"created": "2019-07-10T15:25:57.607Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--29c45d94-f985-4128-b845-bf1159d606cb",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"modified": "2019-07-14T21:44:44.661Z",
"source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858",
"relationship_type": "uses",
"target_ref": "attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[FinFisher](https://attack.mitre.org/software/S0182) comes packaged with ExynosAbuse, an Android exploit that can gain root privileges.",
"type": "relationship",
"created": "2019-07-10T15:25:57.623Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--be39c012-7201-4757-8cd6-c855bc945a9e",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"modified": "2019-07-14T21:44:44.663Z",
"source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858",
"relationship_type": "uses",
"target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pallas](https://attack.mitre.org/software/S0399) retrieves a list of all applications installed on the device.",
"type": "relationship",
"created": "2019-07-10T15:35:43.610Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--2341fdfa-9699-4798-a35a-2cc4f150cd14",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"modified": "2019-07-14T21:33:23.454Z",
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"relationship_type": "uses",
"target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pallas](https://attack.mitre.org/software/S0399) queries the device for metadata, such as device ID, OS version, and the number of cameras.",
"type": "relationship",
"created": "2019-07-10T15:35:43.631Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--9366529d-fba9-4ef6-b4ee-b6b41aa3b18c",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"modified": "2019-07-14T21:33:23.471Z",
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"relationship_type": "uses",
"target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pallas](https://attack.mitre.org/software/S0399) accesses and exfiltrates the call log.",
"type": "relationship",
"created": "2019-07-10T15:35:43.665Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--48486680-530c-4ed9-aca3-94969aa262b6",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"modified": "2019-07-14T21:33:23.504Z",
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"relationship_type": "uses",
"target_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pallas](https://attack.mitre.org/software/S0399) captures and exfiltrates all SMS messages, including future messages as they are received.",
"type": "relationship",
"created": "2019-07-10T15:35:43.661Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--f4d5e619-7c83-4845-aecd-de62c33cc0a1",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"modified": "2019-07-14T21:33:23.506Z",
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"relationship_type": "uses",
"target_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pallas](https://attack.mitre.org/software/S0399) uses phishing popups to harvest user credentials.",
"type": "relationship",
"created": "2019-07-10T15:35:43.663Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--12d61e7d-7fa6-422d-9817-901decf6b650",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"modified": "2019-07-14T21:33:23.530Z",
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"relationship_type": "uses",
"target_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pallas](https://attack.mitre.org/software/S0399) accesses the device contact list.",
"type": "relationship",
"created": "2019-07-10T15:35:43.668Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--7e2d9773-1320-4c8f-a595-2b92bf0fd8ed",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"modified": "2019-07-14T21:33:23.528Z",
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"relationship_type": "uses",
"target_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pallas](https://attack.mitre.org/software/S0399) takes pictures with both the front and rear-facing cameras and also captures audio from the device microphone.",
"type": "relationship",
"created": "2019-07-10T15:35:43.699Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--ce8cc50a-f3c9-4a6a-b6be-f3e8bdd293bd",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"modified": "2019-07-14T21:33:23.558Z",
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"relationship_type": "uses",
"target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pallas](https://attack.mitre.org/software/S0399) has the ability to delete attacker-specified files from compromised devices.",
"type": "relationship",
"created": "2019-07-10T15:35:43.712Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--60ecd154-e907-419a-b41d-1a9a1f59e7c3",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"modified": "2019-07-14T21:33:23.556Z",
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"relationship_type": "uses",
"target_ref": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pallas](https://attack.mitre.org/software/S0399) retrieves messages and decryption keys for popular messaging applications and other accounts stored on the device.",
"type": "relationship",
"created": "2019-07-10T15:35:43.710Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--04530307-22d8-4a06-9056-55eea225fabb",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"modified": "2019-07-14T21:33:23.577Z",
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"relationship_type": "uses",
"target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pallas](https://attack.mitre.org/software/S0399) tracks the latitude and longitude coordinates of the infected device.",
"type": "relationship",
"created": "2019-07-10T15:35:43.708Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--a8ac5084-5631-4670-8ac6-6fbe7bdb0a84",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"modified": "2019-07-14T21:33:23.588Z",
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"relationship_type": "uses",
"target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pallas](https://attack.mitre.org/software/S0399) has the ability to download and install attacker-specified applications.",
"type": "relationship",
"created": "2019-07-10T15:35:43.702Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--32625429-e05a-48a5-8f0b-53c6046e9b1a",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"modified": "2019-07-14T21:33:23.589Z",
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"relationship_type": "uses",
"target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Pallas](https://attack.mitre.org/software/S0399) exfiltrates data using HTTP.",
"type": "relationship",
"created": "2019-07-10T15:35:43.704Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--fb587f81-1300-438d-a33b-f8d08530788b",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"modified": "2019-07-14T21:33:23.601Z",
"source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"relationship_type": "uses",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Dark Caracal](https://attack.mitre.org/groups/G0070) distributes [Pallas](https://attack.mitre.org/software/S0399) via trojanized applications hosted on watering hole websites. ",
"type": "relationship",
"created": "2019-07-10T15:42:09.591Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--ae9a0fb3-901b-4da2-b6ad-633ddbfa0a5f",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"modified": "2019-07-16T15:35:21.028Z",
"source_ref": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12",
"relationship_type": "uses",
"target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Dark Caracal](https://attack.mitre.org/groups/G0070) controls implants using standard HTTP communication. ",
"type": "relationship",
"created": "2019-07-10T15:42:09.606Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--61071d73-fcdf-4820-afd0-e3f0983e0a71",
"external_references": [
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
}
],
"modified": "2019-07-16T15:35:20.953Z",
"source_ref": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12",
"relationship_type": "uses",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibliityServices` method to whitelist the allowed apps that can use Android's accessibility features.",
"type": "relationship",
"id": "relationship--fbd2d4f7-96ff-4624-a567-d4882f0c10ca",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"created": "2019-07-23T15:35:23.530Z",
"modified": "2019-07-23T15:35:23.530Z",
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"id": "relationship--f2e23cb7-7bac-4938-91ea-7dd42b41ba29",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) uses encrypted content within a blog site for part of its command and control. Specifically, the encrypted content contains URLs for other servers to be used for other aspects of command and control.",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"external_references": [
{
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/",
"description": "Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017.",
"source_name": "TrendMicro-Anserver"
}
],
"source_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8",
"relationship_type": "uses",
"target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
"type": "relationship",
"modified": "2018-04-30T13:45:13.024Z",
"created": "2017-12-14T16:46:06.044Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"id": "relationship--f825f5ea-3815-431f-b005-4c01b8b2fed9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"source_ref": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d",
"relationship_type": "revoked-by",
"target_ref": "attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5",
"type": "relationship",
"modified": "2018-04-30T13:45:13.024Z",
"created": "2018-10-17T00:14:20.652Z",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Twitoor](https://attack.mitre.org/software/S0302) uses Twitter for command and control.",
"type": "relationship",
"created": "2017-12-14T16:46:06.044Z",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--9d7ac1b2-3fa9-4236-b72d-5565f0c66eab",
"external_references": [
{
"source_name": "ESET-Twitoor",
"description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.",
"url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/"
}
],
"modified": "2019-02-01T17:38:06.098Z",
"source_ref": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c",
"relationship_type": "uses",
"target_ref": "attack-pattern--830c9528-df21-472c-8c14-a036bf17d665",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0"
},
{
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "[Twitoor](https://attack.mitre.org/software/S0302) is an Android malware family that likely spreads by SMS or via malicious URLs. (Citation: ESET-Twitoor)",
"x_mitre_old_attack_id": "MOB-S0018",
"id": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c",
"external_references": [
{
"external_id": "S0302",
"source_name": "mitre-mobile-attack",
"url": "https://attack.mitre.org/software/S0302"
},
{
"source_name": "Twitoor",
"description": "(Citation: ESET-Twitoor)"
},
{
"source_name": "ESET-Twitoor",
"description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.",
"url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/"
}
],
"x_mitre_version": "1.2",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"modified": "2019-02-01T17:38:05.973Z",
"type": "malware",
"created": "2017-10-25T14:48:42.313Z",
"x_mitre_platforms": [
"Android"
],
"name": "Twitoor",
"x_mitre_aliases": [
"Twitoor"
],
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"is_family": true
},
{
"created": "2017-10-25T14:48:53.739Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--49fe6eac-73a7-4147-9121-85fb71fca4ed",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-10-25T14:48:53.739Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--8e49feb1-e401-4e63-acfa-7f8b9a8ca026",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-10-25T14:48:53.736Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--0673ca70-d403-4e49-8e18-de4bf8ab700c",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-10-25T14:48:53.736Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--bf859944-d097-45ba-ae01-2f85a00cad1f",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-10-25T14:48:53.736Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--cdb1ed75-d8a5-4088-b282-0b85588bbc8c",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-10-25T14:48:53.736Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--b104c62f-771c-46c5-afc4-a964a94cea50",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-10-25T14:48:53.743Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--1a62c9c7-2d3b-4ee7-87d1-d8774050c566",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-10-25T14:48:53.742Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--718949aa-6841-48d2-9343-f01be0aa32c1",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-10-25T14:48:53.743Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--64a6fb42-65ce-4160-a5c8-ac176f60a2ae",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-10-25T14:48:53.743Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--2f5da3a1-19da-421f-be48-cfdcd3c79be1",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-10-25T14:48:53.743Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--fa7b38df-eedc-469b-bcec-facdd8365231",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-10-25T14:48:53.734Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--047ab474-c4ec-4675-a817-1e0a9f8dd92f",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-10-25T14:48:53.734Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--ca7c3278-1d12-4e55-b320-39efa5a285db",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-10-25T14:48:53.744Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--a834341f-d909-41e3-adaf-5f3450e4090e",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-10-25T14:48:53.745Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--c2437c8b-709f-47e8-ae65-21ae48410a9e",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-10-25T14:48:53.740Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--3a9467d4-09df-4266-ba5a-d40309949e70",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-10-25T14:48:53.740Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--176ba064-0657-4850-baa3-626bc845efd3",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-10-25T14:48:53.734Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--69bdeed3-d6a8-4d10-8bf5-44c6cb4392e5",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-10-25T14:48:53.734Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--a912f528-5218-4e0b-a350-7e9012cccdf3",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-10-25T14:48:53.743Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--9adde9d7-4ba0-4e35-93ba-1e85e9eb16bc",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-10-25T14:48:53.735Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--1a493cb6-452f-46ce-a7b4-267eacd5d2ff",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-10-25T14:48:53.735Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--3baf01c5-591b-43a0-8963-506531313e68",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-10-25T14:48:53.735Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--aa23a2c6-ed8a-4453-95d1-f9a47e14b0f9",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-10-25T14:48:53.747Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--8f7c14bf-4c0f-4e54-99c2-41b511220b33",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-10-25T14:48:53.733Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"id": "relationship--aaf0ae2f-07ea-479e-8419-e524e23dbaef",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"description": "Adups is pre-installed on Android devices from some vendors.",
"external_references": [
{
"description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.",
"source_name": "NYTimes-BackDoor",
"url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"
},
{
"description": "Jeremy Kirk. (2016, November 16). Why Did Chinese Spyware Linger in U.S. Phones?. Retrieved February 6, 2017.",
"source_name": "BankInfoSecurity-BackDoor",
"url": "http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534"
}
],
"id": "relationship--d792bffd-6745-4da6-a70f-2d5843ef05ca",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
"relationship_type": "uses",
"target_ref": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"description": "The Android/Chuli.A malware was delivered via a spear phishing message sent to activist groups containing a malicious Android application as an attachment.",
"external_references": [
{
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"source_name": "Kaspersky-WUC",
"url": "https://securelist.com/blog/incidents/35552/android-trojan-found-in-targeted-attack-58/"
}
],
"id": "relationship--fb371daf-2771-488f-90ca-5e08b9a36c5c",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"relationship_type": "uses",
"target_ref": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"description": "The Android/Chuli.A malicious application sent to activist groups used uploads to an http URL as a command and control mechanism.",
"external_references": [
{
"description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
"source_name": "Kaspersky-WUC",
"url": "https://securelist.com/blog/incidents/35552/android-trojan-found-in-targeted-attack-58/"
}
],
"id": "relationship--7c966cde-22fd-4eb2-b518-3e37a8fad88b",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
"relationship_type": "uses",
"target_ref": "attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"description": "AndroidOverlayMalware was distributed by sending \"SMS messages with an embedded link that leads to the malware app.\"",
"external_references": [
{
"description": "Wu Zhou et al. (2016, June 28). THE LATEST ANDROID OVERLAY MALWARE SPREADING VIA SMS PHISHING IN EUROPE. Retrieved December 21, 2016.",
"source_name": "FireEye-AndroidOverlay",
"url": "https://www.fireeye.com/blog/threat-research/2016/06/latest-android-overlay-malware-spreading-in-europe.html"
}
],
"id": "relationship--f14af74f-fb6b-480f-91de-d755c89960ce",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "malware--b6d3657a-2d6a-400f-8b7e-4d60391aa1f7",
"relationship_type": "uses",
"target_ref": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"description": "Charger \"checks whether it is being run in an emulator before it starts its malicious activity\".",
"external_references": [
{
"description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.",
"source_name": "CheckPoint-Charger",
"url": "http://blog.checkpoint.com/2017/01/24/charger-malware/"
}
],
"id": "relationship--7e4be913-d916-4a79-ac00-262a49afe070",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950",
"relationship_type": "uses",
"target_ref": "attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"description": "MazarBOT is delivered via an unsolicited text message containing a link to a web download URI.",
"external_references": [
{
"description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.",
"source_name": "Tripwire-MazarBOT",
"url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"
}
],
"id": "relationship--6fce6a21-ab9b-44a5-be20-9b631109487b",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9",
"relationship_type": "uses",
"target_ref": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"description": "Pegasus was delivered via an SMS message containing a link to a web site with malicious code.",
"external_references": [
{
"description": "Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group\u2019s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.",
"source_name": "PegasusCitizenLab",
"url": "https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/"
}
],
"id": "relationship--9e77b80d-4981-4908-9203-c4e7cea5b5d8",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
"relationship_type": "uses",
"target_ref": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"description": "Pegasus for Android attempts to detect whether it is running in an emulator rather than a real device.",
"external_references": [
{
"description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
"source_name": "Lookout-PegasusAndroid",
"url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
}
],
"id": "relationship--0e81eb1d-cd1e-43e1-8c09-03927681ce76",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
"relationship_type": "uses",
"target_ref": "attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"description": "RuMMS is delivered via a web link to an APK (Android application package). The link is sent via SMS.",
"external_references": [
{
"description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.",
"source_name": "FireEye-RuMMS",
"url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
}
],
"id": "relationship--e3a03a80-0e31-43ef-b802-d6f65c44896d",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
"relationship_type": "uses",
"target_ref": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"description": "\"Malicious actors behind\" Shedun \"repackage and inject malicious code into thousands of popular applications found in Google Play, and then later publish them to third-party app stores. Indeed, we believe many of these apps are actually fully-functional, providing their usual services, in addition to the malicious code that roots the device.\"",
"external_references": [
{
"description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.",
"source_name": "Lookout-Adware",
"url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"
}
],
"id": "relationship--ebc0aa93-93ac-4b7e-ad87-9d5743a09c8e",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "malware--c80a6bef-b3ce-44d0-b113-946e93124898",
"relationship_type": "uses",
"target_ref": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"description": "XcodeGhost was injected into apps by a modified version of Xcode (Apple's software development tool).",
"external_references": [
{
"description": "Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016.",
"source_name": "PaloAlto-XcodeGhost1",
"url": "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/"
},
{
"description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.",
"source_name": "PaloAlto-XcodeGhost",
"url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"
}
],
"id": "relationship--8e4b2305-1280-4456-8ec7-93c66da5c674",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9",
"relationship_type": "uses",
"target_ref": "attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"description": "\"YiSpecter's malicious apps were signed with three iOS enterprise certificates issued by Apple so that they can be installed as enterprise apps on non-jailbroken iOS devices.\"",
"external_references": [
{
"description": "[ Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved January 20, 2017.",
"source_name": "PaloAlto-YiSpecter"
}
],
"id": "relationship--c5d6fb25-1782-44c4-b3ae-0cd72e8a6d37",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9",
"relationship_type": "uses",
"target_ref": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"description": "ZergHelper \"appears to have gotten by Apple\u2019s app review process by performing different behaviors for users from different physical locations...For users outside of China, it would act as what it claimed: an English studying app. However, when accessing the app from China, its real features would appear.\" Presumably, Apple's app review occurred outside of China and the \"real features\" were not visible during the review.",
"external_references": [
{
"description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.",
"source_name": "ZergHelper",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"
}
],
"id": "relationship--eb686f55-85de-42d8-a5a1-69a78af0f1f3",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0",
"relationship_type": "uses",
"target_ref": "attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
},
{
"created": "2017-12-14T16:46:06.044Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"description": "ZergHelper \"abuses enterprises certificate and personal certificates to sign and distribute apps, which may include code that hasn\u2019t been reviewed, or abuse private APIs.\"",
"external_references": [
{
"description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.",
"source_name": "ZergHelper",
"url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"
}
],
"id": "relationship--40581c90-e948-4e91-8530-a9bc59cce9d7",
"modified": "2018-10-23T00:14:20.652Z",
"source_ref": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0",
"relationship_type": "uses",
"target_ref": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
"type": "relationship",
"spec_version": "2.1",
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_domains": [
"mobile-attack"
],
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_version": "1.0",
"x_mitre_deprecated": true
}
]
}